Chrome OS Gets an Optional TPM Security Update That Requires a Powerwash

There is a new, optional security update for Chrome OS that fixes a vulnerability with the Trusted Platform Module (TPM) in the majority of Chromebooks.  To apply the update however, you will need to Powerwash your device.

The vulnerability has to do with hackers potentially being able to brute force the RSA keys generated by your TPM.  This, in theory, could give the the opportunity to plant malicious code on your device or take it over.  For those not familiar, a Trusted Platform Module (TPM) is a specialized chip on an endpoint device that stores RSA encryption keys specific to the host system for hardware authentication. It essentially makes sure that the hardware and software on your device are secure and encrypted and what has access to the keys generated by it.  Thus, you see the problem.  If the TPM gets compromised, it can lead to a lot of issues for end users.

Starting with Chrome 60, the Chromium team beefed up the hashing used to create keys by the TPM so it largely mitigated the problem.  They went a step further in Chrome 61 by adding the ability to install a security update, like this one, during the Powerwash process.

The short of it is, if you are on Chrome 60 or higher, you probably are safe and sound.  But, if you really want to make sure, you should apply the TPM patch through a Powerwash process.  This will wipe any data on your machine so make sure you have a backup.

To make sure you are in the clear, on your Chromebook, type chrome://system in the omnibar and do a search for TPM.  If you have the following TPM firmware versions, you are vulnerable:

  • 000000000000041f – 4.31
  • 0000000000000420 – 4.32
  • 0000000000000628 – 6.40
  • 0000000000008520 – 133.32

If you have the following TPM firmware versions, you are NOT vulnerable:

  • 0000000000000422 – 4.34
  • 000000000000062b – 6.43
  • 0000000000008521 – 133.33

The Chromium team has published a list of all of the devices impacted.  You can find it here.  As you will see, there are a lot of devices on this list.  My suggestion is, to be 100% safe, is to do the TPM update.  When you start the Powerwash process, you will have the option to install security updates.  It is a checkbox that, when checked, will apply the appropriate update for your Chromebook.

%d bloggers like this: