Hacking Google ChromeOS

[Jack]

Matt Johansen and Kyle Osborn presented their paper at Black Hat this morning titled "Hacking Google ChromeOS".

Google's netbook operating system has been touted as the first platform that has been designed to be malware free from the start. Users are not able to download/install/execute code on a ChromeBook, they are only allowed to download Chrome extensions.

Johansen and Osborn didn't bother to try and prove Google wrong, they simply looked into the implications of having everything "running" as an extension in the browser.

Their research impacts all users of Google Chrome, whether they happen to be using it as an OS or simply as their browser of choice.

They discovered two things... One is that if you are running JavaScript code on the device, your code could be vulnerable to a XSS (cross site scripting) attack.

When a website has a XSS vulnerability, it allows people to attack that specific site, but it does not effect others. What happens when you have a XSS vulnerability in an application in your browser?

Well, considering the API that Chrome provides for extension development, it allows an attacker to exploit any web site operating within that browser (including all other tabs).


Read more

 

[Hungry Man]

I wonder if we'll start seeing more malicious extensions instead of malware... suddenly malware would start attacking at the browser level and it would have access to all site data and it would be incredibly easy to dodge AV's with Chrome's audoupdate and it would be as simple as clicking "yes" to install.

Still, Chromebooks are very very secure. No operating system is without faults.

 

[Jack]

It's hard to hack a Chromebook......
There are no paid extension for Chromebooks so this OS has a big advantage over Windows ........it doesn't have Warez since everything is free, the users can install any extension without being forced to search for a free and possible malicious similar extension...and Google is giving a "Verified author" tag to all good extensions. There will be a few popular extension that everyone will search and use so the new ones will have a hard time getting noticed...
Also Google has added to each app/ext... a Report abuse/Report an issue button that anyone can use...so I don't think a malicious extension could have a high life time on their Web sore..
Google could easily add other features to secure their Web Store..like a reputation system or a pre-approval stage for the apps/ext.
Cromebook has a small market share so I highly doubt anyone will try to exploit any vulnerabilities or create malicious extension.

 

[Hungry Man]

I agree with pretty much everything you said haha I really don't think we'll be seeing much of this in the future. It's an interesting concept but it seems very very easily mitigated.

 

[jamescv7]

Google ChromeOS as built with some security capabilities so if anyone can hack it can be fail.

 

[Hungry Man]

It's not that they're hacking the OS or exploiting some code vulnerability, it's that they're installing a malicious extension.

 

[Jack]

I don't think anyone will manage so easily to find and exploit a vulnerability in this OS...Google has a great team of developers and a good bugs 'bounty' program....eg : Pwn2Own (a computer hacking contest ) ... Safari was hacked in 5 seconds.... .while Chrome stayed untouched......
The weak point is indeed their extension system.....as proven in the past , it can be tricked....

 

[Hungry Man]

Hacking ChromeOS would be very difficult. Chrome itself has only ever been successfully exploited (at least beyond the sandbox) once and the OS is so stripped down and simplified I'm sure it's quite secure as well.

 

[Shadow Death]

The way I see it, if it can be done, it will be done. If hackers find it a challenge they will hack it. If Google continues to say it's unhackable they will find a way to prove them wrong. That's how the world turns. I think when the Chrome Books start rolling out into the public on a mass production system we will find more and more exploits.

 

[Hungry Man]

It's not really a hack... it's an infection... an infection that will affect all browsers.

If this is anything like android and Google doesn't respond to it we'll see a huge trend though.

 

[Shadow Death]

Yes, I understand it's not a hack. I was just saying it will always be possible.