I am wondering if a Chromebook can receive a virus through a malicious website. I recently have heard they are immune to any sort of virus, but I am not sure that's true. Does somebody know if Chromebooks can be infected with a virus?
Asked
Active
Viewed 7,522 times
4 Answers
31
Tl;dr - yes (but unlikely).
From https://en.wikipedia.org/wiki/Chrome_OS:
Chrome OS is an operating system designed by Google that is based on the Linux kernel and uses the Google Chrome web browser as its principal user interface. As a result, Chrome OS primarily supports web applications.
Google around for information about Linux & virus and you will find that it is low runner, but certainly not unheard of.
For instance, Does Linux need antivirus? says
There is much debate as to whether Linux needs antivirus. Proponents of Linux state that its heritage as a multi-user, networked operating systems means that it was built from the ground up with superior malware defense. Others take the stance that while some operating systems can be more resistant to malware, there’s simply no such thing as a virus-resistant operating system. The second group is correct – Linux is not impervious to viruses
and Can my UNIX or Linux computer become infected with a virus? says
Few viruses are currently known for UNIX or Linux. However, virus checking is necessary for these reasons:
- UNIX or Linux computers acting as servers for other operating system client workstations can become carriers for other virus types, e.g. Windows macro viruses.
- UNIX and Linux computers are often used as mail servers, and can check email for worms and infected attachments before they reach the desktop.
- If your UNIX or Linux computer is running a PC emulator (a 'soft PC'), applications running under that emulator are vulnerable to viruses, particularly macro viruses.
So, you are at little risk, but not no risk
Recommended reading: Chromebook How To: Viruses, Malware and Chrome OS Security
Wai Ha Lee
- 121
- 1
- 1
- 7
Mawg
- 4,603
9
tl;dr
Yes, just be careful and don't install any extensions and if you do make sure you understand the permissions they ask for.
Note: The professional definition of "computer virus" is a specific type of malicious application, the "normal" definition of "computer virus" is more or less any malicious application. Reading the OP's post I have interpreted his question to be using the term in the latter meaning.
Totally agree with the other answer and will start from the same place, but expand on it a bit:
Chrome OS is an operating system designed by Google that is based on the Linux kernel and uses the Google Chrome web browser as its principal user interface. As a result, Chrome OS primarily supports web applications.
Source: Wikipedia
Chrome: Passive attacks
Description of attack:
- You open a website
- Suddenly you have a virus
Likelihood: Even with Chrome on Windows these are incredibly uncommon, but the fact that Chrome on ChromeOS runs on Linux means that it's far less "worth" it for attackers to create attacks for Linux/ChromeOS.
Chrome: Stupid user attacks (malware + malicious site)
Description of attack:
- You open a website
- Website convinces the user to do something stupid
- Example: You open a streaming site (the type which takes its content without permission or legal right from the copyright owner) and the site convinces its users to install a missing codec, whilst they actually install some virus.
Likelihood: As Chrome doesn't allow (by default) running actual Linux applications there is a far smaller attack surface. Additionally most of those attacks target once again Windows, so you end up with a bunch of useless .exe files in your Downloads folder.
BUT another type of cross platform attack which does work and is not uncommon is the installation of malicious chrome extensions. These will typically request the permission to
- Read and change your data on all sites
Anyway, this requires the user to do something stupid and ignore the literal warning that the extension will have the permission to see and change anything you see (including for example your online banking interface).
Note: This doesn't start with a malicious site, so it doesn't really fall under the OP's question from the title, but does answer the question in the body.
Android: Passive attacks
Description of attack:
- You install and open a malicious android app
- Suddenly you have a virus (where a virus is once again defined as something that could steal your passwords or access your online banking)
Likelihood: The sandboxing on Android apps is so well done that as far as I currently know nobody has yet broken through it. This means practically that you are reasonably safe from this happening though. Of course, any permission you do grant to the android app - just like with the chrome extensions - can be used against you by a malicious player.
Linux attack surface
Description of attack:
- (Prequel) You enable linux applications (this is disabled by default and only for powerusers)
- You open some innocent looking file
- Example: Some libreoffice document
- Suddenly you have a virus
Likelihood: Even if you do enable linux apps and you open yourself to more or less all the dangers or running normal linux, viruses on Linux are incredibly uncommon. See Mawq's answer for a discussion of this.
David Mulder
- 1,499
6
Chrome OS has some features that make it very difficult for a virus to run, to elevate privilege to root, or to survive a reboot (become persistent).
The Chrome Sandbox (pdf) limits what a process can do. All operations are sandboxed, apart from basic CPU and memory usage. This means the renderer, javascript process, PDF renderer, etc. are sandboxed, and will not be allowed to execute arbitrary syscalls, write to arbitrary files, do network io, etc. unless those calls are explicitly allowed.
Verified Boot (Firmware boot). The Chrome OS boot happens in several stages. The first stage is a boot flash ROM, which is protected from writing by a hardware switch on the motherboard (this protection can be disabled if you want to flash your own boot loader). The Chrome firmware is stored in two writeable slots, but the signature is verified by the first stage, so it can't be arbitrarily modified and still boot. The kernel and initramfs are stored as GPT volumes and are signed, so those can't be modified either. The actual OS filesystem uses Verity to sign every block, and the signature is checked when a block is loaded, so the file system can't be modified either.
Constant updates. Chrome OS uses an A/B OS install so that security updates can be shipped regularly and automatically, with failed updates being easily reverted.
So, for a virus to run on the Chromebook, it would require a persistent compromise that chains something like:
- an exploit to run native code (the virus)
- a sandbox escape, to access the filesystem
- a root exploit, in order to modify OS files
- a "verified boot" exploit, targetting the firmware flash or filesystem, so that the modified OS files will be loaded on reboot
- some way to spread to other Chromebooks (if we are talking about a traditional virus)
Google offer a $100k bounty for anyone who reveals such a persistent compromise. There are only a couple of instances (1,2) where this has been claimed. The second of these required chaining together five CVE vulnerabilities. Not easy.
bain
- 167
2
Do Chromebooks have vulnerabilities ?
Yes.
A brief search,at the time of writing this answer, on MITRE's CVE website by "chromebook" keyword, results in 9 vulnerability reports, all dated 2011 or 2012. Specifically, these mention "Acer AC700, Samsung Series 5, and Cr-48". According to the article in Security Week by Eduard Kovacs:
A researcher who uses the online moniker Gzob Qq informed Google on September 18 that he had identified a series of vulnerabilities that could lead to persistent code execution on Chrome OS, the operating system running on Chromebox and Chromebook devices.
The exploit chain includes an out-of-bounds memory access flaw in the V8 JavaScript engine (CVE-2017-15401), a privilege escalation in PageState (CVE-2017-15402), a command injection flaw in the network_diag component (CVE-2017-15403), and symlink traversal issues in crash_reporter (CVE-2017-15404) and cryptohomed (CVE-2017-15405).
So there's another set of CVE exploits dated 2017.
Attack surface:
Note that this does not take into account vulnerabilities in extensions from Google Store. Every additional extension may increase attack surface. An interesting example of an extension that violates user's privacy and puts machine into botnet service can be found in Trend Micro's article:
This botnet was used to inject ads and cryptocurrency mining code into websites the victim would visit. We have dubbed this particular botnet Droidclub, after the name of one of the oldest command-and-control (C&C) domains used.
In addition to the above features, Droidclub also abuses legitimate session replay libraries to violate the user’s privacy. These scripts are injected into every website the user visits. These libraries are meant to be used to replay a user’s visit to a website, so that the site owner can see what the user saw, and what he entered into the machine, among other things.
Of course, physical access to devices it a significant factor - hardware itself could be compromised.
Note that attack surface may increase of the Chromebook runs out of the support cycle, which currently is 5 years, according to PC World's article. While the article states there's no clarity on the situation, apparently Google does intend to provide security updates:
There is, however, one more wrinkle to this story: Given that security is “one of the key tenets of Chrome OS,” Google says it’s “working with our partners to update our policies so that we’re able to extend security patches and updates beyond a device’s EOL date.”
Google isn’t making any guarantees at this point, but it sounds like the company wants to extend updates—at least on the security side—beyond five years. It also sounds like device makers such as Acer and Samsung would be partially responsible for making that happen.
Conclusion
In short, yes, one can get exploits on Chrome OS. As mentioned Mawg's answer, Chrome OS uses Linux Kernel, so Windows-specific exploits won't affect Chrome OS. Nonetheless, that doesn't decrease the attack surface if Linux Kernel exploits are of interest.
