27

I am wondering if a Chromebook can receive a virus through a malicious website. I recently have heard they are immune to any sort of virus, but I am not sure that's true. Does somebody know if Chromebooks can be infected with a virus?

Improve this question
4
  • 15
    General rule of thumb: if it runs software it can be infected. The odds of infection depends on many things, which are well explained in the answers already posted.
    – Aubreal
    Commented Jan 22, 2019 at 14:33
  • @AlexandreAubrey if it runs software and has any permanent storage.
    – rackandboneman
    Commented Jan 22, 2019 at 15:46
  • 11
    @rackandboneman No, if it runs software. RAM-resident malware has been around for years; in fact, it used to be the norm; if the goal is to steal credit card details instead of just format the hard drive, it'd be profitable to make these again.
    – wizzwizz4
    Commented Jan 22, 2019 at 17:32
  • Not sure if its worth an answer on its own, but IF your chromebook does get a virus somehow(I've never had one in 5+ years of using one), its really easy to powerwash the device which is ChromeOs terms for reset to factory settings. Since all your settings and everything are on the cloud, once you log back in it will be all back to normal. The whole powerwash takes 15-30 minutes until you are back to the state you were before. I love chromebooks so feel free to message me if you have questions.
    – samuraiseoul
    Commented Jan 23, 2019 at 15:50

4 Answers 4

Reset to default
31

Tl;dr - yes (but unlikely).

From https://en.wikipedia.org/wiki/Chrome_OS:

Chrome OS is an operating system designed by Google that is based on the Linux kernel and uses the Google Chrome web browser as its principal user interface. As a result, Chrome OS primarily supports web applications.

Google around for information about Linux & virus and you will find that it is low runner, but certainly not unheard of.

For instance, Does Linux need antivirus? says

There is much debate as to whether Linux needs antivirus. Proponents of Linux state that its heritage as a multi-user, networked operating systems means that it was built from the ground up with superior malware defense. Others take the stance that while some operating systems can be more resistant to malware, there’s simply no such thing as a virus-resistant operating system. The second group is correct – Linux is not impervious to viruses

and Can my UNIX or Linux computer become infected with a virus? says

Few viruses are currently known for UNIX or Linux. However, virus checking is necessary for these reasons:

  • UNIX or Linux computers acting as servers for other operating system client workstations can become carriers for other virus types, e.g. Windows macro viruses.
  • UNIX and Linux computers are often used as mail servers, and can check email for worms and infected attachments before they reach the desktop.
  • If your UNIX or Linux computer is running a PC emulator (a 'soft PC'), applications running under that emulator are vulnerable to viruses, particularly macro viruses.

So, you are at little risk, but not no risk

Recommended reading: Chromebook How To: Viruses, Malware and Chrome OS Security

Improve this answer
9
  • 4
    deleted my answer as yours was way more complete. I couldn't provide more without replicating your answer... :)
    – Stese
    Commented Jan 22, 2019 at 8:22
  • 2
    I didn't even see yours; we must have posted simultaneously (so, upvote to your comment ;-). Bottom line, if it has a processor, someone will try to code a virus for it. In this case, the biggest risks are browser plugins.
    – Mawg
    Commented Jan 22, 2019 at 8:27
  • 6
    Your last quote suggests that you use the anti-virus on the linux machine not to protect itself, but to protect the windows machines "downstream"; the the latter part isn't about running linux at all. Since a chromebook is out of scope of all these points, I feel it's just not relevant to the question.
    – UKMonkey
    Commented Jan 22, 2019 at 10:38
  • 3
    then again, there are quite a few people arguing that you shouldn't even install antivirus on Windows (maybe aside MS's own version), as this will open up another attack vector for viruses to get on your system in the first place. arstechnica.com/information-technology/2017/01/antivirus-is-bad
    – Frank Hopkins
    Commented Jan 22, 2019 at 14:25
  • 1
    Should one consider the tons of malware apps for Android as an example for a linux-based system which needs some form of defense against malware? And the risk seems not so small, when one includes a broad variety of malware, not just viruses attacking the underlying linux system...
    – Falco
    Commented Jan 23, 2019 at 14:11
9

tl;dr

Yes, just be careful and don't install any extensions and if you do make sure you understand the permissions they ask for.

Note: The professional definition of "computer virus" is a specific type of malicious application, the "normal" definition of "computer virus" is more or less any malicious application. Reading the OP's post I have interpreted his question to be using the term in the latter meaning.

Totally agree with the other answer and will start from the same place, but expand on it a bit:

Chrome OS is an operating system designed by Google that is based on the Linux kernel and uses the Google Chrome web browser as its principal user interface. As a result, Chrome OS primarily supports web applications.

Source: Wikipedia

Chrome: Passive attacks

Description of attack:

  1. You open a website
  2. Suddenly you have a virus

Likelihood: Even with Chrome on Windows these are incredibly uncommon, but the fact that Chrome on ChromeOS runs on Linux means that it's far less "worth" it for attackers to create attacks for Linux/ChromeOS.

Chrome: Stupid user attacks (malware + malicious site)

Description of attack:

  1. You open a website
  2. Website convinces the user to do something stupid
    • Example: You open a streaming site (the type which takes its content without permission or legal right from the copyright owner) and the site convinces its users to install a missing codec, whilst they actually install some virus.

Likelihood: As Chrome doesn't allow (by default) running actual Linux applications there is a far smaller attack surface. Additionally most of those attacks target once again Windows, so you end up with a bunch of useless .exe files in your Downloads folder.

BUT another type of cross platform attack which does work and is not uncommon is the installation of malicious chrome extensions. These will typically request the permission to

  • Read and change your data on all sites

Anyway, this requires the user to do something stupid and ignore the literal warning that the extension will have the permission to see and change anything you see (including for example your online banking interface).

Note: This doesn't start with a malicious site, so it doesn't really fall under the OP's question from the title, but does answer the question in the body.

Android: Passive attacks

Description of attack:

  1. You install and open a malicious android app
  2. Suddenly you have a virus (where a virus is once again defined as something that could steal your passwords or access your online banking)

Likelihood: The sandboxing on Android apps is so well done that as far as I currently know nobody has yet broken through it. This means practically that you are reasonably safe from this happening though. Of course, any permission you do grant to the android app - just like with the chrome extensions - can be used against you by a malicious player.

Linux attack surface

Description of attack:

  1. (Prequel) You enable linux applications (this is disabled by default and only for powerusers)
  2. You open some innocent looking file
    • Example: Some libreoffice document
  3. Suddenly you have a virus

Likelihood: Even if you do enable linux apps and you open yourself to more or less all the dangers or running normal linux, viruses on Linux are incredibly uncommon. See Mawq's answer for a discussion of this.

Improve this answer
6

Chrome OS has some features that make it very difficult for a virus to run, to elevate privilege to root, or to survive a reboot (become persistent).

  • The Chrome Sandbox (pdf) limits what a process can do. All operations are sandboxed, apart from basic CPU and memory usage. This means the renderer, javascript process, PDF renderer, etc. are sandboxed, and will not be allowed to execute arbitrary syscalls, write to arbitrary files, do network io, etc. unless those calls are explicitly allowed.

  • Verified Boot (Firmware boot). The Chrome OS boot happens in several stages. The first stage is a boot flash ROM, which is protected from writing by a hardware switch on the motherboard (this protection can be disabled if you want to flash your own boot loader). The Chrome firmware is stored in two writeable slots, but the signature is verified by the first stage, so it can't be arbitrarily modified and still boot. The kernel and initramfs are stored as GPT volumes and are signed, so those can't be modified either. The actual OS filesystem uses Verity to sign every block, and the signature is checked when a block is loaded, so the file system can't be modified either.

  • Constant updates. Chrome OS uses an A/B OS install so that security updates can be shipped regularly and automatically, with failed updates being easily reverted.

So, for a virus to run on the Chromebook, it would require a persistent compromise that chains something like:

  • an exploit to run native code (the virus)
  • a sandbox escape, to access the filesystem
  • a root exploit, in order to modify OS files
  • a "verified boot" exploit, targetting the firmware flash or filesystem, so that the modified OS files will be loaded on reboot
  • some way to spread to other Chromebooks (if we are talking about a traditional virus)

Google offer a $100k bounty for anyone who reveals such a persistent compromise. There are only a couple of instances (1,2) where this has been claimed. The second of these required chaining together five CVE vulnerabilities. Not easy.

Improve this answer
2
  • This is true if you take the "proper" definition of computer virus, but the OP was not likely using the "proper" definition of virus, but rather the common definition of virus which includes things like malware.
    – David Mulder
    Commented Jan 23, 2019 at 7:55
  • Yes, it depends how you define "malware". Malware, as it is usually known on Windows, would still need an ability to run code, escape the sandbox, and modify the file system to become persistent. But if you define malware as something that happens purely in the browser, like a malicious Chrome extension, then every OS that allows Chrome to be run is vulnerable.
    – bain
    Commented Jan 23, 2019 at 11:10
2

Do Chromebooks have vulnerabilities ?

Yes.

A brief search,at the time of writing this answer, on MITRE's CVE website by "chromebook" keyword, results in 9 vulnerability reports, all dated 2011 or 2012. Specifically, these mention "Acer AC700, Samsung Series 5, and Cr-48". According to the article in Security Week by Eduard Kovacs:

A researcher who uses the online moniker Gzob Qq informed Google on September 18 that he had identified a series of vulnerabilities that could lead to persistent code execution on Chrome OS, the operating system running on Chromebox and Chromebook devices.

The exploit chain includes an out-of-bounds memory access flaw in the V8 JavaScript engine (CVE-2017-15401), a privilege escalation in PageState (CVE-2017-15402), a command injection flaw in the network_diag component (CVE-2017-15403), and symlink traversal issues in crash_reporter (CVE-2017-15404) and cryptohomed (CVE-2017-15405).

So there's another set of CVE exploits dated 2017.

Attack surface:

Note that this does not take into account vulnerabilities in extensions from Google Store. Every additional extension may increase attack surface. An interesting example of an extension that violates user's privacy and puts machine into botnet service can be found in Trend Micro's article:

This botnet was used to inject ads and cryptocurrency mining code into websites the victim would visit. We have dubbed this particular botnet Droidclub, after the name of one of the oldest command-and-control (C&C) domains used.

In addition to the above features, Droidclub also abuses legitimate session replay libraries to violate the user’s privacy. These scripts are injected into every website the user visits. These libraries are meant to be used to replay a user’s visit to a website, so that the site owner can see what the user saw, and what he entered into the machine, among other things.

Of course, physical access to devices it a significant factor - hardware itself could be compromised.

Note that attack surface may increase of the Chromebook runs out of the support cycle, which currently is 5 years, according to PC World's article. While the article states there's no clarity on the situation, apparently Google does intend to provide security updates:

There is, however, one more wrinkle to this story: Given that security is “one of the key tenets of Chrome OS,” Google says it’s “working with our partners to update our policies so that we’re able to extend security patches and updates beyond a device’s EOL date.”

Google isn’t making any guarantees at this point, but it sounds like the company wants to extend updates—at least on the security side—beyond five years. It also sounds like device makers such as Acer and Samsung would be partially responsible for making that happen.

Conclusion

In short, yes, one can get exploits on Chrome OS. As mentioned Mawg's answer, Chrome OS uses Linux Kernel, so Windows-specific exploits won't affect Chrome OS. Nonetheless, that doesn't decrease the attack surface if Linux Kernel exploits are of interest.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .