Storing Data on Chromebook®? Beware of the Risks

Chromebook is a family of devices, including the laptops, tablets, convertible, and detachable form factors running on the Chrome OS, a Linux-based operating system from Google. Chromebooks are available from various OEMs, such as Acer, ASUS, Dell, Google, HP, Lenovo, and Samsung. Chromebook Pixel and Pixelbook are high-end variants of the Chromebook. There are a few other types of Chrome OS devices, such as the Chromebox desktop and the Chromebase all-in-one device.

Chromebooks mainly rely on the Google Chrome browser to perform tasks, and they store a majority of the data on the cloud. Their reliance on cloud infrastructure allows them to perform well using the basic hardware. And with almost no moving components (like a fan) and simpler processor chips, they offer higher durability than traditional PCs. However, Chromebooks – like traditional laptops or desktops ­– are susceptible to data breach and leakage as they also store data on the built-in SSDs aside from the cloud.

The following sections illustrate the risks:

In 2019, Google engineers discovered a vulnerability in the H1 chip firmware. The chip generated truncated Elliptic Curve Digital Signature Algorithm (ECDSA) cryptographic signatures that are easier to hack and break into the system. This vulnerability could lead to a data breach, later fixed by installing the Chrome OS v75 update and registering the new keys with websites earlier authenticated with the faulty security key. Though the vulnerability is fixed, there is no guarantee of new issues cropping up silently, compromising your sensitive data.

• Chromebook Data Storage – Not all is on Cloud
  Although Chromebooks store most of the data on Google Drive, they have built-in SSDs like those in a Windows laptop or MacBook to allow local data storage and app installation. These SSDs can store sizable data. The fact that Chromebook is primarily designed for web-based computing and cloud storage can divert the users’ attention from this ‘local data’ comprising sensitive information such as web browsing history, downloaded files, confidential documents, etc. The very “presence” of this data on the hard drive creates direct and indirect vulnerabilities due to hackers, data brokers, human errors, lack of awareness, etc.
  As a business, you might have addressed the data breach threats using system passwords, antivirus programs, and other protections. But, some other critical but less known risk scenarios may lead to data leakage, mainly when the Chromebook leaves your organization’s custody. Imagine your organization needs to handover several Chromebooks for repair or upgrade to the AMC, or you are exchanging the devices; the data stored on the Chromebook SSDs is vulnerable to exposure and leakage. Similar risks can emerge when a field team in an organization needs to return the Chromebook devices taken on lease. These and other similar situations can expose your sensitive business information or leak an individual’s PII with implications like identity theft, financial fraud, intellectual property theft, data breach incidents, bad publicity, and even litigation.
• Chrome OS Built-in Security Key – Not Enough for Data Security
  Chromebook uses a built-in security feature of Chrome OS that allows the users to initiate a Universal 2nd Factor (U2F) by pressing the device’s power button. This feature allows using the Chromebook device itself for authentication when the user registers or logs on to a website. Pressing the power button generates and sends a cryptographic token to the website for authentication. This built-in security key feature is embedded in a large number of Chromebooks made by Dell, HP, Acer, Samsung, ASUS, Lenovo, having H1 CR50 chip.

Data Erasure is the Savior

So far, the blog establishes that the data stored on a Chromebook is vulnerable to breach and leakage risks. And the only way to nullify the risks is to permanently remove this data such that no one can access or recover it. Here, it is worth noting that actions like data deletion, formatting, and factory reset cannot guarantee permanent data removal. Anybody in possession of the device can potentially retrieve the data using a publicly available data recovery tool.

The Data Erasure technique can address this problem by overwriting the existing data with unique binary patterns, rendering the data unrecoverable using any method or tool. Data erasure techniques are primarily implemented using data erasure software that automates the task for efficient execution.

A professional data erasure software such as BitRaser could be your best choice to wipe the Chromebook. The tool uses proprietary techniques to “overwrite” the existing data on the Chromebook hard drive. It can offer you ‘total peace of mind’ with safe & secure sell-off, return, reallocation, or exchange of the device without any apprehension concerning your data. It is an easy-to-use DIY tool that also generates documented proof after wiping the Chromebook.

Want to know how to erase Chromebook?

Read our quick, easy-to-understand software KB on how to erase Chromebook using BitRaser Drive Eraser. Using the software, you can start erasing your Chromebook in less than 15 minutes and safeguard your data privacy across all threat scenarios.

About The Author

Pravin

Pravin Mehta is a Sr. Content Specialist with more than 14 years in Information Technology and services industry. He has contributed opinion posts and technology articles to multiple media sites globally. He served as the Content Lead for Microsoft India web properties in the recent past.