Hack Chromebook In Guest Mode, Win $100,000

← Back to Stories (view on slashdot.org)

Hack Chromebook In Guest Mode, Win $100,000

Posted by timothy on Tuesday March 15, 2016 @02:06AM from the money-where-mouth-is dept.

An anonymous reader writes: Google has once again upped the ante for bug hunters concentrating on Chrome, and is now offering $100,000 to anyone capable of achieving a compromise of a Chromebook or Chromebox (the desktop variant of the Chromebook laptop) with device persistence in guest mode (i.e. guest to guest persistence with interim reboot, delivered via a web page). From Google's Monday announcement: Last year we introduced a $50,000 reward for the persistent compromise of a Chromebook in guest mode. Since we introduced the $50,000 reward, we haven't had a successful submission. That said, great research deserves great awards, so we're putting up a standing six-figure sum, available all year round with no quotas and no maximum reward pool.

45 comments

Min score:

Reason:

Sort:

Manages high security by Chrisq · 2016-03-15 02:08 · Score: 2

Manages high security by being very limited. Don't get me wrong, if all you want is a portable machine with a browser then it's great.
1. Re:Manages high security by Anonymous Coward · 2016-03-15 02:16 · Score: 0
  
  My thoughts exactly. A Hack-a-brick fest.
2. Re:Manages high security by mwvdlee · 2016-03-15 02:16 · Score: 1
  
  In other words; a perfect match for the 50% (rounding down) of humans that are pretty much computer-illiterate.
  
  --
  Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
3. Re:Manages high security by LichtSpektren · 2016-03-15 02:22 · Score: 2
  
  Nowadays there's a web app version of almost everything. A thin client can do a lot of 2016. When you consider the fact that 90% of the human race just wants to use social media, write emails, shop and watch videos, it's not a bad sell.
4. Re:Manages high security by Scarred+Intellect · 2016-03-15 02:29 · Score: 1
  
  What?! You mean there's more to the internet than that!? Outrageous! Nobody ever told me that! Where is this mythical world you speak of? Do I search for it in the Facebook search box, or the YouTube one?
5. Re:Manages high security by infolation · 2016-03-15 02:46 · Score: 1
  
  90% of the human race just wants to use social media, write emails, shop and watch cat videos
  
  FTFY
6. Re:Manages high security by Anonymous Coward · 2016-03-15 03:42 · Score: 0
  
  In dev mode, you can run a full Linux distro. And the drive may be small, but with an SSD, they're pretty fast, and the battery life and price are great. And if for some reason you need to wipe the computer and hand it to someone else, it's extremely easy.
7. Re:Manages high security by Anonymous Coward · 2016-03-15 03:47 · Score: 0
  
  And most of my use of a computer outside of work falls into one of these categories. My problem is, I don't trust the plugins available to access my password file. Specifically keepass. Anybody have an opinion on this?
8. Re:Manages high security by shawn2772 · 2016-03-15 03:53 · Score: 1
  
  Nowadays there's a web app version of almost everything. A thin client can do a lot of 2016. When you consider the fact that 90% of the human race just wants to use social media, write emails, shop and watch videos, it's not a bad sell.
  Or write documents, build spreadsheets, make presentations, etc. Chromebooks are quite good for the sort of productivity work most people do. I have the option of getting a Pixel2 for work, and it would meet 100% of my work needs, including writing code[*]. Honestly, the only reason I have a Macbook is because I also use it for personal photo and video editing. Oh, and I prefer a local app for tracking my personal finances. I think there are some perfectly adequate online financial management programs, but I don't trust any online service to know everything about my money. However, now that I look, there are several personal finance apps on the Chrome web store... it looks like they store data on Google's servers, but only in encrypted form, and everything of substance happens locally. That could work, too. I'll have to see if any of them are decent.
  I've recommended Chromebooks to lots of college students and they've all been very happy with the choice. My son (in college) has both a Chromebook and a Windows laptop. He uses the Windows laptop for playing games, but prefers the Chromebook for all of his school work, as well as surfing. He likes the Chromebook better.
  [*] Note that in large part this is because company policy doesn't allow code to be stored on laptops anyway. We have fairly good cloud-based tools for editing, building, testing, reviewing and submitting code changes in a web browser, and where those are inadequate we use Chrome Remote Desktop to work remotely on our desktop machines. Without those constraints a regular laptop would be better. Mostly. I work on Android and building it on a laptop is painful to the point of infeasible, so I'd want to use my 64-core behemoth of a desktop anyway.
9. Re:Manages high security by Anonymous Coward · 2016-03-15 05:06 · Score: 0
  
  Porn.
  
  I mean, yeah, the visible surface portion is as GPs have described, but the unmentioned half is teh prawn. Which, yeah, cbooks deliver.
10. Re:Manages high security by edtice1559 · 2016-03-15 05:33 · Score: 1
  
  A limited, functioning machine is better than an unlimited non-functioning machine. You can get many things done with a browser. The point of having a secure guest mode is that you can safely let other people use your device. Also makes it better for setting up things like kiosks.
11. Re:Manages high security by edtice1559 · 2016-03-15 05:34 · Score: 1
  
  And a limited machine means they can spend more time doing this and less time maintaining the thing. A car is limited compared to an 18 wheeler, too.
12. Re:Manages high security by Anonymous Coward · 2016-03-15 06:37 · Score: 0
  
  Yep dumb monkeys just want to sit around their jungles jacking off.
What would hacking Guest mode get you? by Anonymous Coward · 2016-03-15 02:19 · Score: 0

I use a Chromebox as a second device. Its great for quick browser access nothing more though. It was cheap and Chrome OS runs better on cheap hardware then Windows 10. Otherwise Chrome OS is too limiting to be real useful, which brings to mind why Google would even suggest hacking Guest mode which by design only gives you access to Chrome browser and nothing else. If your going to hack a Chrome OS device Guest would not provide a hacker much of anything. If you could hack into a user on a Chrome device that might be something, but then again much of the files are in cloud storage. I frankly can understand why no hacker pays much attention to a Chrome device. Its not worth it.
1. Re:What would hacking Guest mode get you? by Luthair · 2016-03-15 02:48 · Score: 2
  
  Presumably the persistent compromise would affect any logged in user.
2. Re:What would hacking Guest mode get you? by softnewsit · 2016-03-15 03:16 · Score: 1
  
  Root access from guest mode.... what else....
  
  --
  Go away!
3. Re:What would hacking Guest mode get you? by edtice1559 · 2016-03-15 05:35 · Score: 1
  
  Which is really the point. Is it safe to let somebody use your device in guest mode? Can you trust the device afterward. And, of course, kiosks. If you can reboot to a known state they would be way easier to maintain. There's a whole cottage industry out there of reimaging devices still.
tl;dr description of the contest. by nimbius · 2016-03-15 02:20 · Score: 1

question: can you hack a hardened, underpowered Linux workstation without root access.
response: no one hacks an OS anymore, they bolt-on worms, social engineering, flash zero-days and javascript bypasses to steal your credit cards and dick pics.

--
Good people go to bed earlier.
1. Re:tl;dr description of the contest. by LichtSpektren · 2016-03-15 02:26 · Score: 1
  
  question: can you hack a hardened, underpowered Linux workstation without root access. response: no one hacks an OS anymore, they bolt-on worms, social engineering, flash zero-days and javascript bypasses to steal your credit cards and dick pics.
  That's nice, but you get $100k if you can hack the OS.
100k? by Anonymous Coward · 2016-03-15 02:25 · Score: 0

Hardly worth the effort. When they put up a reward matching a years pay for an average Google employee I might be interested.
1. Re:100k? by Anonymous Coward · 2016-03-15 03:22 · Score: 0
  
  Hardly worth the effort. When they put up a reward matching a years pay for an average Google employee I might be interested.
  When you include the 3rd-party maintenance crew that gets paid $15 an hour, it probably does average out to $100k.
2. Re:100k? by Anonymous Coward · 2016-03-15 04:19 · Score: 0
  
  I would expect "Google employee" as it is used here to mean people employed by Google, not people employed by other companies, the average salaries in the world are WAY lower than $100k!
I've got an idea for another contest! by Anonymous Coward · 2016-03-15 02:26 · Score: 0

I've got a great idea for another contest. The Slashdot headline for the submission about it could be, "Use Chromebook Productively, Win $100,000".
As that title states, if somebody can manage to do something even slightly productive (sorry, browsing Facebook doesn't count!) using a Chromebook, they'd get $100,000.
To be honest, I think there's a greater likelihood of a payout in this security challenge than there would be in that productivity challenge.
1. Re:I've got an idea for another contest! by LichtSpektren · 2016-03-15 02:37 · Score: 2
  
  I've got a great idea for another contest. The Slashdot headline for the submission about it could be, "Use Chromebook Productively, Win $100,000".
  As that title states, if somebody can manage to do something even slightly productive (sorry, browsing Facebook doesn't count!) using a Chromebook, they'd get $100,000.
  To be honest, I think there's a greater likelihood of a payout in this security challenge than there would be in that productivity challenge.
  I'd imagine many reporters, secretaries, actors, interpreters/translators, librarians, web developers, etc. could get by just fine with a browser.
2. Re:I've got an idea for another contest! by IRGlover · 2016-03-15 02:42 · Score: 1
  
  I'll take cash or a cheque, AC. I've written the bulk of numerous research papers, teaching materials and other learning resources on a Chromebook using Google Drive. Great tools for collaboratively writing materials, before exporting the content for some polishing up in a different piece of software.
3. Re:I've got an idea for another contest! by 0100010001010011 · 2016-03-15 02:44 · Score: 1
  
  Heck I do a good 80% of my Python development through a Jupyter Notebook hosted on one of the other machines in my house. I could get by just fine with a browser and ssh client.
4. Re:I've got an idea for another contest! by Anonymous Coward · 2016-03-15 03:14 · Score: 0
  
  I've actually migrated to using a Chromebook as my primary device; mind you I take advantage of two things that make it much more powerful:
  1) Apps for remote screen/control like Chrome Remote Desktop and VNC. This allows me to enjoy the 1080p displays of the Toshiba Chromebooks with the computing power of whatever system I connect to the backend (Windows, OS X, et cetera). Not so great for gaming or video playback, but I don't do much of the former and the latter I can do locally; but managing multiple VMs for software testing or other performance intensive applications it's very convenient.
  2) Developer mode and crouton / chroots run some linux stuff locally that you can't get under ChromeOS.
  Mind you, I'm not using the Chrome part of the device in these cases really, but it does make them much more useful than people usually think they can be.
5. Re:I've got an idea for another contest! by Anonymous Coward · 2016-03-15 03:19 · Score: 0
  
  Chromebooks have an SSH client. What else do you need? I get a lot of mileage out of online IDEs, too. Also, in developer mode you can install a full Linux distro; even the tiny SSDs these things tend to ship with are pretty roomy for Linux.
  The person asking "How can you be productive with a Chromebook?" has simply never tried it.
What do I get? by Anonymous Coward · 2016-03-15 02:28 · Score: 0

So what do I get? My chromebox was the one released at google i/o 2012 with a Core i5 sandy bridge and I'm running a custom coreboot + seabios installation and full ubuntu with completely replaced ChromeOS with 8gb of ddr3 and a 256gb crucial m4 ssd and it's my personal server running a virtual machine hosting several websites and my personal email/file server and I even released a customized version of the Chrubuntu script that includes a bunch of additional options if you don't want to go all out like I did. https://github.com/austinksmith/Chruboostu
1. Re:What do I get? by Anonymous Coward · 2016-03-15 02:41 · Score: 0
  
  What do you get? An award for completely ignoring the qualifications and/or bragging.
  No one gives a shit what do you with your chrome box.
2. Re:What do I get? by Anonymous Coward · 2016-03-15 02:46 · Score: 0
  
  The entire post is about exploits, the goal wasnt to brag but to show how far you can exploit a chromeOS machine. Assuming you're not running an ARM based model you can do the same I have done and have a completely standard desktop machine without the limitations.
3. Re:What do I get? by Anonymous Coward · 2016-03-15 02:54 · Score: 0
  
  It's not about exploring a chrome os machine, it's about exploring guest mode in chrome os. The hardware is irrelevant.
4. Re:What do I get? by pz · 2016-03-15 02:56 · Score: 1
  
  Punctuation: it's your friend.
  
  --
  
  Put my fist through my alarm clock with its ding-dong death inside my ear. - The Blackjacks.
5. Re:What do I get? by fibonacci8 · 2016-03-15 04:16 · Score: 1
  
  I highly doubt he and punctuation are even on speaking terms after that post.
  
  --
  Inheritance is the sincerest form of nepotism.
6. Re:What do I get? by macs4all · 2016-03-15 05:36 · Score: 1
  
  Punctuation: it's your friend.
  Capitalization: It's your friend.
GhostShell by Scarred+Intellect · 2016-03-15 02:33 · Score: 1

I found a job for GhostShell!
Nice to see Google pushing this by sasparillascott · 2016-03-15 02:42 · Score: 2

Chrome is getting alot more popular with users and schools in particular, its nice to see them pushing on the security like this - up to this point it probably hasn't been worth the time of someone to compromise it (from a marketshare standpoint), but that day is coming. It's good Google is trying to stay ahead of that.
1. Re:Nice to see Google pushing this by Anonymous Coward · 2016-03-15 03:21 · Score: 0
  
  So google is following in the footsteps of apple and microsoft. Give software to schools, reap the rewards when they grow up and use the software that they know. Great innovation there!
I was surprised it did EVERYTHING my wife wanted by raymorris · 2016-03-15 03:07 · Score: 1

My wife got a Chromebook to augment / replace her Linux desktop. I set the Chromebook up to boot Ubuntu, but we went ahead and booted ChromeOS once just to check it out. I was surprised to find she never had any reason to boot into Ubuntu. ChromeOS does everything she wants to do with her computer and it's fast.
Most recently, she's been job hunting. She looks for job on the web, edits her resume in Google Docs, fills out pdf forms, all on ChromeOS. It actually does 90% of what I use my computer for too - email, browsing, ssh, and text editing (programming). I'm a old-school programmer who doesn't use an IDE except once every few years when I write in a Microsoft language.
At y old job, a business I owned, I spent 80% of my time using SSH, which works fine from ChromeOS. At my current job, I run a couple of virtual machines on my computer and the company chat program, so a ChromeBook wouldn't do for work, but at home virtual machines go on the server that has 32 GB of RAM and multiple CPUs anyway. So I'd probably be just fine with a ChromeBook at home too.
Re:I was surprised it did EVERYTHING my wife wante by 110010001000 · 2016-03-15 03:15 · Score: 1

As an added bonus, Google Inc now has a full profile of your and your wife's life. They know she has been looking for a job, everything. And you only had to pay hundreds of dollars for the privilege. So it is a win/win.
Re:I was surprised it did EVERYTHING my wife wante by Anonymous Coward · 2016-03-15 03:18 · Score: 0

Google already had that. The Chromebook is just their way of paying it forward.
Chromebook Logic Boards Can Be Re-Serialized by Anonymous Coward · 2016-03-15 05:08 · Score: 0

Not really an OS vulnerability, but you can reserialize the logic board on at least some Chromebook models.
The process does involve disassembling the device to disconnect the battery and remove the write-protect screw temporarily though. Again, it's not a ChromeOS bug, but it does allow, for example, a high school student to bypass the school's management, or a thief to bypass any sort of lost mode protection enabled by the owner.