Chrome OS is one of the most secure desktop operating systems on the market (privacy concerns about the Google ecosystem aside). Automatic system updates, verified boot, and system drive encryption all keep your Chromebook safe from attacks. Most models also use a Trusted Platform Module, or TPM, for generating the cryptographic keys that protect local data.
Sadly, nothing is 100% secure, and the same is true for some Chromebooks. Security researchers recently discovered a bug in certain versions of the Infineon TPM firmware, which allows hackers to potentially brute-force a Chromebook to obtain encrypted data. Thankfully, the scope of the vulnerability is limited, since the researchers estimated it would take around 140 CPU years to break a single key.
The bug potentially affects all Chromebooks using the newest Infineon TPM chip, and there are quite a few of them. Here’s the full list:
If you have one of the above devices, you can check what TPM firmware you have by going to chrome://system, searching for ‘TPM’ in the page (CTRL + F), and clicking the Expand button next to TPM Version. If your Chromebook has any of these versions, you are vulnerable:
- 000000000000041f – 4.31
- 0000000000000420 – 4.32
- 0000000000000628 – 6.40
- 0000000000008520 – 133.32
Because of how the TPM module works, updating the firmware requires you to wipe the computer, so Google has decided to make the update optional. If you want to be as secure as possible, select Powerwash from the system settings. Once you reboot to finalize the reset, click the checkbox that says ‘Update firmware for added security.’ Then confirm the wipe, and you’re all done.
I did the whole process on my ASUS Chromebook C302, and it only took about a minute. Sadly, wiping your Chromebook is more of a pain with the advent of Android apps, since most of them don’t backup user data to the cloud (like the rest of the OS does).
Unless your Chromebook contains government secrets, you probably don’t need to install the update, but a few minutes of inconvenience while setting everything back up is probably worth being as secure as possible.