Chromebook users should keep an eye out for a new notification on their devices, pointing to an internal security key reset following Google’s patch of a disclosed vulnerability in its H1 security chip firmware. Failing to reset the security keys could leave a Chrome OS gadget open to attack, following an update that patched the vulnerability.
The notification appears in an orange coloration, denoting its urgency. The included text informs users that their internal security key is insecure. As such, the key needs to be removed from any services it's being used with. Then the key needs to be reset.
The notification presents users with a link to more information and a link to reset.
It's important that users follow the process of removing the key from any sites or services that's been set up to protect before resetting. Otherwise, they run the risk of not being able to sign back in without serious difficulty after resetting the key.
Why does your Chromebook need an internal security key reset?
Leaving the current security active, for those that haven't reset yet, presents another problem. Google has reportedly confirmed that the risk is minimal and the vulnerability difficult to access. The enterprise environments and highly-sensitive data the H1 chips are generally intended to protect are more likely to be targeted.
The minimal nature of the risk primarily comes down to the fact that the impacted universal two-factor (U2F) security key feature is still experimental. So not many users are accessing sites or logging in using the U2F solution.
Summarily, Google confirmed that an error in the generation of the security key's "secret value" allowed the underlying ECC private key to be accessed. The private key can then be computed using just a single pair of signature and signed data. The search giant concludes that all previously-generated keys need to be considered "cryptographically broken."
Once a bad actor has access to that private key, the user's password is all that remains between their sensitive data and a breach.
Fixed with Chrome 75 but that's not good enough
Google technically patched the problem in question way back in Chrome OS 75. The operating system is currently at version 76 but that doesn't necessarily fix things without a reset. Rather than informing users of the problem via a notification in Chrome 75, Google waited until the current version to do so.
The search giant also didn't widely disclose the problem, leaving only an advisory on a Chromium OS security advisories page. Because of that delay, many end-users were left with compromised H1 security chips since the update landed in June. It wasn't until Chrome OS 76 landed that an alert began to appear for users.
To fix the problem, users will need to first make sure their H1 security firmware is updated. Google says that can be accomplished by navigating to the "chrome://system" URL. The version is listed at the "RW" line under the "cr50_version" subsection. The version number needs to be 0.3.15 or newer for the fix to be in place.
A list will need to be generated of services and sites registered with the security key too. That's going to be a manual process. Then, users will need to remove the key from those services. Typically, that can be accomplished by looking under a site's security or account settings. Ordinarily, the option is available to "remove" or "unregister" those but terms and methods will be different from site to site.
The security key will need to be reset, following the notification that appears as described above.