Chrome OS is one of the most secure desktop operating systems on the market (privacy concerns about the Google ecosystem aside). Automatic system updates, verified boot, and system drive encryption all keep your Chromebook safe from attacks. Most models also use a Trusted Platform Module, or TPM, for generating the cryptographic keys that protect local data.

Sadly, nothing is 100% secure, and the same is true for some Chromebooks. Security researchers recently discovered a bug in certain versions of the Infineon TPM firmware, which allows hackers to potentially brute-force a Chromebook to obtain encrypted data. Thankfully, the scope of the vulnerability is limited, since the researchers estimated it would take around 140 CPU years to break a single key.

The bug potentially affects all Chromebooks using the newest Infineon TPM chip, and there are quite a few of them. Here's the full list:

  • asuka - Dell Chromebook 13 3380
  • auron-paine - Acer Chromebook 11 (C740)
  • auron-yuna - Acer Chromebook 15 (CB5-571)
  • banjo - Acer Chromebook 15 (CB3-531)
  • banon - Acer Chromebook 15 (CB3-532)
  • buddy - Acer Chromebase 24
  • candy - Dell Chromebook 11 (3120)
  • caroline - Samsung Chromebook Pro
  • cave - ASUS Chromebook Flip C302
  • celes - Samsung Chromebook 3
  • chell - HP Chromebook 13 G1
  • clapper - Lenovo N20 Chromebook
  • cyan - Acer Chromebook R11 (CB5-132T / C738T)
  • daisy-skate - HP Chromebook 11 2000-2099 / HP Chromebook 11 G2
  • daisy-spring - HP Chromebook 11 1100-1199 / HP Chromebook 11 G1
  • edgar - Acer Chromebook 14 (CB3-431)
  • elm - Acer Chromebook R13 (CB5-312T)
  • enguarde - ASI Chromebook
  • enguarde - Crambo Chromebook
  • enguarde - CTL N6 Education Chromebook
  • enguarde - Education Chromebook
  • enguarde - eduGear Chromebook R
  • enguarde - Edxis Education Chromebook
  • enguarde - JP Sa Couto Chromebook
  • enguarde - Lenovo N21 Chromebook
  • enguarde - M&A Chromebook
  • enguarde - RGS Education Chromebook
  • enguarde - Senkatel C1101 Chromebook
  • enguarde - True IDC Chromebook
  • enguarde - Videonet Chromebook
  • expresso - Bobicus Chromebook 11
  • expresso - Consumer Chromebook
  • expresso - Edxis Chromebook
  • expresso - HEXA Chromebook Pi
  • falco - HP Chromebook 14
  • gandof - Toshiba Chromebook 2 (2015 Edition)
  • glimmer - Lenovo ThinkPad 11e Chromebook
  • gnawty - Acer Chromebook 11 (C730 / C730E)
  • gnawty - Acer Chromebook 11 (C735)
  • guado - ASUS Chromebox CN62
  • hana - Lenovo N23 Yoga/Flex 11 Chromebook
  • hana - Poin2 Chromebook 14heli - Haier Chromebook 11 G2
  • kefka - Dell Chromebook 11 Model 3180
  • kefka - Dell Chromebook 11 3189
  • kevin - Samsung Chromebook Plus
  • kip - HP Chromebook 11 2100-2199 / HP Chromebook 11 G3
  • kip - HP Chromebook 11 2200-2299 / HP Chromebook 11 G4/G4 EE
  • kip - HP Chromebook 14 ak000-099 / HP Chromebook 14 G4
  • lars - Acer Chromebook 11 (C771, C771T)
  • lars - Acer Chromebook 14 for work (CP5-471)
  • leon - Toshiba Chromebook
  • link - Google Chromebook Pixel
  • lulu - Dell Chromebook 13 7310
  • mccloud - Acer Chromebox
  • monroe - LG Chromebase 22CB25S
  • monroe - LG Chromebase 22CV241
  • ninja - AOPEN Chromebox Commercial
  • nyan-big - Acer Chromebook 13 (CB5-311)
  • nyan-blaze - HP Chromebook 14 x000-x999 / HP Chromebook 14 G3
  • nyan-kitty - Acer Chromebase
  • orco - Lenovo 100S Chromebook
  • panther - ASUS Chromebox CN60
  • peach-pi - Samsung Chromebook 2 13"
  • peach-pit - Samsung Chromebook 2 11"
  • peppy - Acer C720 Chromebook
  • quawks - ASUS Chromebook C300
  • reks - Lenovo N22 (Touch) Chromebook
  • reks - Lenovo N23 Chromebook
  • reks - Lenovo N23 Chromebook (Touch)
  • reks - Lenovo N42 (Touch) Chromebook
  • relm - Acer Chromebook 11 N7 (C731)
  • relm - CTL NL61 Chromebook
  • relm - Edxis Education Chromebook
  • relm - HP Chromebook 11 G5 EE
  • relm - Mecer V2 Chromebook
  • rikku - Acer Chromebox CXI2
  • samus - Google Chromebook Pixel (2015)
  • sentry - Lenovo Thinkpad 13 Chromebook
  • setzer - HP Chromebook 11 G5 / HP Chromebook 11-vxxx
  • squawks - ASUS Chromebook C200
  • sumo - AOpen Chromebase Commercial
  • swanky - Toshiba Chromebook 2
  • terra - ASUS Chromebook C202SA
  • terra - ASUS Chromebook C300SA/C301SA
  • tidus - Lenovo ThinkCentre Chromebox
  • tricky - Dell Chromebox
  • ultima - Lenovo ThinkPad 11e Chromebook 3rd Gen (Yoga/Clamshell)
  • veyron-fievel - AOpen Chromebox Mini
  • veyron-jaq - Haier Chromebook 11
  • veyron-jaq - Medion Akoya S2013veyron-jaq - True IDC Chromebook 11
  • veyron-jaq - Xolo Chromebook
  • veyron-jerry - CTL J2 / J4 Chromebook for Education
  • veyron-jerry - eduGear Chromebook K Series
  • veyron-jerry - Epik 11.6" Chromebook ELB1101
  • veyron-jerry - HiSense Chromebook 11
  • veyron-jerry - Mecer Chromebook
  • veyron-jerry - NComputing Chromebook CX100
  • veyron-jerry - Poin2 Chromebook 11
  • veyron-jerry - Positivo Chromebook CH1190
  • veyron-jerry - VideoNet Chromebook BL10
  • veyron-mickey - ASUS Chromebit CS10
  • veyron-mighty - Chromebook PCM-116E
  • veyron-mighty - eduGear Chromebook M Series
  • veyron-mighty - Haier Chromebook 11e
  • veyron-mighty - Lumos Education Chromebook
  • veyron-mighty - MEDION Chromebook S2015
  • veyron-mighty - Nexian Chromebook 11.6-inch
  • veyron-mighty - Prowise 11.6" Entry Line Chromebook
  • veyron-mighty - Sector 5 E1 Rugged Chromebook
  • veyron-mighty - Viglen Chromebook 11
  • veyron-minnie - ASUS Chromebook Flip C100PA
  • veyron-speedy - ASUS Chromebook C201PA
  • veyron-tiger - AOpen Chromebase Mini
  • winky - Samsung Chromebook 2 11 - XE500C12
  • wizpig - CTL J5 Chromebook
  • wizpig - Edugear CMT Chromebook
  • wizpig - Haier Convertible Chromebook 11 C
  • wizpig - PCMerge Chromebook PCM-116T-432B
  • wizpig - Prowise ProLine Chromebook
  • wizpig - Viglen Chromebook 360
  • wolf - Dell Chromebook 11
  • zako - HP Chromebox CB1-(000-099) / HP Chromebox G1/ HP Chromebox for Meetings

If you have one of the above devices, you can check what TPM firmware you have by going to chrome://system, searching for 'TPM' in the page (CTRL + F), and clicking the Expand button next to TPM Version. If your Chromebook has any of these versions, you are vulnerable:

  • 000000000000041f – 4.31
  • 0000000000000420 – 4.32
  • 0000000000000628 – 6.40
  • 0000000000008520 – 133.32

Because of how the TPM module works, updating the firmware requires you to wipe the computer, so Google has decided to make the update optional. If you want to be as secure as possible, select Powerwash from the system settings. Once you reboot to finalize the reset, click the checkbox that says 'Update firmware for added security.' Then confirm the wipe, and you're all done.

I did the whole process on my ASUS Chromebook C302, and it only took about a minute. Sadly, wiping your Chromebook is more of a pain with the advent of Android apps, since most of them don't back up user data to the cloud (like the rest of the OS does).

Unless your Chromebook contains government secrets, you probably don't need to install the update, but a few minutes of inconvenience while setting everything back up are probably worth it in order to be as secure as possible.

Source: Chrome Unboxed