X

How Chromebooks became the go-to laptops for security experts

Chrome OS has provided one of the most robust cases of “usable security” available. Here’s the design philosophy from Google that led to that.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
8 min read
Aaron Robinson/CNET

When the team behind Google's Chrome OS software and Chromebooks set out to reinvent the laptop, it quickly zeroed in on security as an area where it could bring a fresh perspective.

"On Chrome OS, we were like, 'We control all the pieces. We can do better,'" Will Drewry, a principal software engineer for Google's devices, and one of the founding fathers of the Chromebook, said in an interview in January.

The team wanted to build something that would fit this generation's needs, as well as address the rising crop of threats facing PCs.

"Security was thought of very differently back then because there weren't as many security attack vectors that are out today," Kan Liu, Google's director of product management, said in the same interview.

Liu and Drewry sent out a prototype unit, the CR-48, to security experts for feedback. The responses were surprising.

"A lot of the early feedback was very detailed on things like, 'Hey, the trackpad is terrible,'" Liu said.

Google CR-48 Chromebook
Enlarge Image
Google CR-48 Chromebook

Google's CR-48 was the first-ever Chromebook. When Will Drewry and Kan Liu, two of Chrome OS's founding fathers, sent it to security researchers, the feedback was more about issues with the trackpad.

Josh Miller/CNET

There was hardly a peep when it came to security flaws.

Nine years later, and Chromebooks are a smash success. Nearly three out of every five machines used in schools run the Chrome OS, according to researcher Futuresource Consulting

In fact, Chromebooks are so successful in the education world that on Tuesday, Apple held its latest iPad unveiling at Chicago's Lane Tech College Prep High School in an effort to re-establish its position in the area.

Thanks to the early focus on preventing cyberattacks, Chromebooks are also a hit with the security community. Security experts commonly recommend Chromebooks, whether it's for the relative who somehow always ends up with spyware toolbars or the researcher heading to a hackers' meetup. 

And it's not about complicated encryption or security tricks -- Chromebooks have gained popularity through a combination of affordability and simple but effective security.

Take Jake Williams, the founder of Rendition Security. He not only uses a Chromebook, he also says he's comforted by the fact that his daughter has one in school.

"I definitely feel like she is more safe on a Chromebook than a Windows laptop," he said.

Field-tested

Heading to my first security conference last year, I expected to see a tricked-out laptop running on a virtual machine with a private network and security USB keys sticking out -- perhaps something out of a scene from "Mr. Robot."

That's not what I got.

Everywhere I went I'd see small groups of people carrying Chromebooks, and they'd tell me that when heading into unknown territory it was their travel device.

Google's laptop brand first debuted in 2010 as a stripped-down computer with the web browser as the main operating system. Back then, Chromebooks were slow to gain acceptance because of their closed ecosystem, which meant an inability to download programs from the internet. But Chromebooks have now outsold both Windows and Mac laptops.

Alongside the bare-bones OS came a set of security features that, more than five years later, companies like Microsoft are still trying to catch up to. Fewer software choices mean limited options for hackers.

Those are some of the benefits that have led security researchers to warm up to the laptops.

"Chromebooks have a lot of strong security defaults," said Jessy Irwin, a security expert and head of security at Tendermint. "In security, everyone blames the user for being at fault. But Google's approach is really great because it makes it less likely for the user to mess up." 

In response, Microsoft introduced Windows 10 S, a locked-down version of its operating system that can run apps only from its approved app store. A spokeswoman for Microsoft called Windows 10 S computers "a compelling value prop against Chromebook" for security and functionality.

Chrome OS takes an approach to security that's similar to the one Apple takes with iOS and its closed ecosystem. An Apple spokesman said the company's iPads have the "same industry-leading protections" as the iPhone.

But there's a major difference in price. Chromebooks are cheap compared with iPads, which at their cheapest, are still $329. MacBooks, however, are open like traditional Windows PCs and are also much more expensive.

"If I dropped $2,000 on a nice Macbook Pro, and it gets lost or confiscated or stolen, I'd lose my mind," White said. "If my $150, $160 Samsung Chromebook did, then whatever, no big deal."

That's not to say Chrome OS is impervious to malware. Cybercriminals have figured out loopholes through Chrome's extensions, like when 37,000 devices were hit by the fake version of AdBlock Plus. Malicious Android apps have also been able to sneak through the Play Store.

But Chrome OS users mostly avoided massive cyberattack campaigns like getting locked up with ransomware or hijacked to become part of a botnet. Major security flaws for Chrome OS, like ones that would give an attacker complete control, are so rare that Google offers rewards up to $200,000 to anyone who can hack the system.

Security in simplicity

chrome-os-team-2014

The Chrome OS team in 2014. Kan Liu, one of the original members, sits on the top right in a white shirt.

Google

While you can keep your computer secure through safe practices, antivirus scans and beefing up your settings, Google sought to create the most secure system right from the first boot, assembly not required.     

"If you want prehardened security, then Chromebooks are it," said Kenneth White, director of the Open Crypto Audit Project. "Not because they're Google, but because Chrome OS was developed for years and it explicitly had web security as a core design principle."

It goes back to what Liu, Drewry and the rest of the original Chrome OS team envisioned when creating a new breed of laptops.

The three design requirements for the Chromebook were "simplicity, security and speed," Liu and Drewry said. The three ended up playing off each other. The Chrome OS team wanted to keep it simple for users so the machines could run faster.

But by limiting the playing field, the OS was able to shut out common attacks from a decade ago, while preventing future tactics as well, Drewry said.

"Even if you don't know what attacks are coming in the future, you've limited the combinations," he said. "We've seen this over the years. Attackers would have to wind through a twisty maze of passages to get something that'd work."

Four features

But you can get only so far with simplicity alone. Drewry and Liu focused on four key features for the Chromebook that have been available ever since the first iteration in 2010: sandboxing, verified boots, power washing and quick updates.

These provided security features that made it much harder for malware to pass through, while providing a quick fix-it button if it ever did.

"That's the fundamental difference between how Chrome OS works and how any other computer at the time worked," Liu said.

But what is sandboxing? And what's power washing? (Hint: It doesn't include water.) Here's a breakdown of the four key features.

  • Sandboxing
chromeos-sandboxing
Enlarge Image
chromeos-sandboxing
Aaron Robinson/CNET

The Chromebook's browser was designed so that each tab would be considered its own process.

Drewry had noticed that malware often took advantage of programs that had open access to the rest of the computer. So on Chrome OS, each tab, which the Chrome team called the "Render," had all the code it needed to function properly, meaning it didn't need to go outside and access any other files.  

Data outside the browser would go through a tool the Chrome OS team calls "Minijail," which makes sure the system is delivering only the requested data and nothing more.

So even if a browser-based attack passed through, it would be only on that specific tab, Drewry said.

  • Verified Boot
chromeos-verified
Enlarge Image
chromeos-verified
Aaron Robinson/CNET

This is Google's variation of Secure Boot, a feature available on Windows and Apple devices. Google's team wanted to make sure that when Chromebooks started, they were running software that couldn't be changed.

Every single line of code that runs at startup is checked to make sure it came from Google, and wasn't modified by malware.

"They've been thoughtful about that boot process, so that when you hit the power button, you're able to trust that startup a bit more than with other devices," Irwin said.

If anything was altered, it heads to a recovery mode for Chromebooks, which is also stored on the secure processor and can't be modified.

  • Power Washes
chromeos-washing
Enlarge Image
chromeos-washing
Aaron Robinson/CNET

This feature allows people to completely reset their Chromebook to factory settings with the push of a single button, making it simple to get back to a clean state.

It's helpful for when you think you've been affected by malware, or if you're traveling and want to make sure you're not carrying any sensitive data on your devices.

"It's one of our key features," Drewry said. "Because if something goes crazily wrong, what do you do?"

Going back to factory settings can often be difficult on other devices, with multiple steps to return to square one. For Chrome OS, it's available right through the settings.

  • Patching
chromeos-updates
Enlarge Image
chromeos-updates
Aaron Robinson/CNET

Security patches aren't unique to Chromebooks, but Google's process and dedication to their rollout is.

The company guarantees a Chromebook will receive updates for up to seven years after it's first released.

Even the CR-48, the first Chromebook, which was shipped out only to invited testers, continued to get updates up until last May. That's a stark difference from millions of outdated devices that no longer receive needed security updates.

More than 90 percent of Chromebook users are using the latest versions of software, according to Google.  

Liu said if there are any security flaws that need an urgent patch, Google is able to roll out the fix within 48 hours. The updates also happen in the background, thanks to a new process Chrome OS introduced with its debut. 

Instead of asking users to install the updates, Drewry said, Chrome OS has two copies of what's running, a Version A and a Version B. Whenever a new update comes, it happens on Version B, and once everything is ready, the Chrome OS loads up the updated version at the next reboot.

"It's something that they don't ever have to think about," Liu said. "It just happens."

Usable security

There's a major difference between what's the most secure and what's the most convenient. Chromebooks aim for that sweet spot in between, said Drewry and Liu.

It goes into the concept of "usable security." While you may be able to set up a VPN and two-factor authentication with a USB key, you probably don't want to do that for all your relatives.

"I'm not going to give a nontech colleague the advice to run Linux," White said. "I'm going to be on the phone with them constantly helping. Even as a geek, I don't want to screw around with something. I want to get stuff done."

White put together a guide to making the Chromebook as secure as possible, a process that, he said, takes only about 15 minutes. But even without his quick enhancements, the vanilla version of Chrome OS works just as well for security.

It's not the most secure device you could have, but it's the most secure with the easiest learning curve.  

"This was my personal standard," Drewry said. "Can I give it to kids? Can I give it to friends and family? Can I give it to security experts?"

Correction, 9:10 a.m. PT: This story originally misstated when the Automatic Updates feature became available. That feature has been available since Chrome OS launched.

Security:  Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.

Does the Mac still matter? Apple execs explain why the MacBook Pro was over four years in the making, and why we should care.