First there was the laptop. Then the notebook. The netbook is the most recent addition to mobile devices with hardware keyboards. That is, until today. Google has officially launched a new cloud OS based mobile device dubbed the ChromeBook.
As a netbook with an operating system that amounts to little more than a web browser, the device purports to not only match the functionality of a "normal" netbook, but surpass it thanks to file storage residing in the cloud, automatic updates to the OS, virtually unlimited applications, and an eight second boot time.
Google further states that the device is capable of all the promises feats while remaining secure. Security is accomplished by several independent strategies. The OS splits up system settings and user settings, and each ChromeBook allows only one "owner" per device. The owner is able to allow other users to log in to the device as well, whether it is with their Google account or as a guest. Guest Mode does not sync or cache data, and all system settings are kept out of the session, including network configuration. Each process is sandboxed in an effort to reduce the likely hood of cross-process attacks. Further, the browser and plugin processes are not given direct kernel interface access. Toolchain hardening seeks to limit exploit reliability and success. The file system has several restrictions, including a read-only root partition, tmpfs-based /tmp, and User home directories that can not have executable files.
Further, ChromeBooks utilize a secure automatic update system and Verified Boot that seeks to eliminate attacks tampering with the underlying code. All updates are downloaded over SSL, and are required to pass various integrity checks. The version number of updates is not allowed to regress, meaning that only updates with a version number higher than those already installed on the system are allowed to install. Further, on the next boot-up, the updates undergo a further integrity check in the form of what Google calls "Verified Boot."
According to Google, Verified Boot "provides a means of getting cryptographic assurances that the Linux kernel, non-volatile system memory, and the partition table are untampered with when the system starts up." The process depends on a "chain of trust" which is created using custom read-only firmware rather than a TPM (Trusted Platform Module) device. The read-only firmware checks the integrity of the writable firmware, and if it passes then the writable firmware is used to check the integrity of the next component in the boot up process. While Verified Boot does not protect against dedicated attackers, it does allow a safe recovery option when re-installing as well as detecting changes made by a successful run-time attack and files or write-able firmware changes made by an attacker with a bootable USB drive.
In future iterations of the OS, Google is pursuing driver sandboxing as well as implementing a secure method for auto-logins. Further, Google states that they are interested in pursuing biometric security if they are able to ensure their authentication software is secure when using low cost hardware. Also on the agenda is implementing a "single signon" system that would allow users to log into third party sites using credentials generated by their Google account.
Hardware running Chrome OS is not new, however. Google’s CR-48 notebook has been in the wild for months, allowing thousands of users the chance to try out the new operating system and its accompanying hardware. Both Acer (11.6", $349) and Samsung (12.1", $429 wifi only) have stepped up to the plate and are offering ChromeBooks at launch. What is new; however, is the way in which users are able to purchase the hardware. While consumers will still be able to purchase a ChromeBook from retailers, Google has announced a new subscription option for school and business users. The new subscription service would allow students to receive a ChromeBook for $20 a month, while business users would pay $28 a month. In order to get the subscription price schools and businesses must enter into a three year contract. The subscription price includes the "hardware, operating system, updates and cloud-based management" along with online, email, and telephone support directly from Google. The monthly subscription further includes regular hardware refreshes.
It is apparent that Google sees its largest market for ChromeBooks as being large businesses and schools, which can then manage a fleet of ChromeBooks for their users for a much lower cost versus maintaining hundreds of traditional computers. While large IT departments are likely to see the cost benefits, It remains to be seen how consumers will react to this subscription based model. Subscriptions have become more prevalent, with the majority of the US using cell phones with monthly contracts. On the other hand, users –students especially– are used to buying a computer outright. Will the lure of low cost subscription ChromeBooks be enough to break consumers’ traditional thoughts on purchasing computers? Will students accept remotely administrated computers in exchange for a low cost subscription?