CR-48 ChromeOS Security Posture

Since everyone is talking about the fit and finish (which is great other than the battery) I thought I’d talk about the security of the device. Google has already spoken about the separation of user/system with the web browser functions so I will skip that portion. The majority of my work was looking at how the OS responded to simple pentesting scans. I used version 5.21 of Nmap running on MacOS 10.6 Server. The ChromeOS box was patched as of 12/11/10.

  • By default there are no listening ports with any scans
  • CTL+ALT+T on the development system opens up a limited console with SSH access out
  • Nmap does not remote fingerprint ChromeOS. Even on a direct connect the scan never pulls enough data to fingerprint. I tried Nmap 5.21/4.62 on Linux and Mac
  • No current exploits for the version 10.2r103 of Flash. I tried a few older ones, but its pretty well locked down. The most I can do is get the flash plugin to crash, but lets be honest thats just Adobe’s Modus Operandi
  • The OS takes complex passwords. I didn’t test how far up the character count, but 14 with Up/Down/Special/Number worked fine
  • MAC was recognized if I cut the prefix down to 74:F0 which belongs to a Korean company named BnCOM
  • USB-net was disabled at the kernel level
  • USB storage didn’t provide any quick wins either as it seems to disregard both GTK and QT autorun subsystems
  • The only main system process running as root is X
  • All other process run as chronos or cromo to provide audio subsystems via pulse-audio and window manager
  • CTL+ALT+T “crosh” terminal uses aterm to provide the basic console in full screen view
  • rsyslogd provides the logging facility for the machine

In closing Google has done a decent job locking the box down. I am not sure I’d give it to any users, but I wouldn’t think twice about installing one for a kiosk somewhere. The biggest vulnerability for the machine is of course Flash and their NativeClient code execution. I plan on playing with NativeClient to see if I can push out a quick exploit

— Update — My Buddy Chris sent me a howto for enabling the shell and developer mode. I am going to keep my text above as if you have access to put the box in dev mode its all lost anyways: — Update —