How Chromebooks became the go-to laptops for security experts

Aaron Robinson/CNET

When the team behind Google’s Chrome OS software and Chromebooks set out to reinvent the laptop, it quickly zeroed in on security as an area where it could bring a fresh perspective.

“On Chrome OS, we were like, ‘We control all the pieces. We can do better,'” Will Drewry, a principal software engineer for Google’s devices, and one of the founding fathers of the Chromebook, said in an interview in January.

The team wanted to build something that would fit this generation’s needs, as well as address the rising crop of threats facing PCs.

“Security was thought of very differently back then because there weren’t as many security attack vectors that are out today,” Kan Liu, Google’s director of product management, said in the same interview.

Liu and Drewry sent out a prototype unit, the CR-48, to security experts for feedback. The responses were surprising.

“A lot of the early feedback was very detailed on things like, ‘Hey, the trackpad is terrible,'” Liu said.

Google’s CR-48 was the first-ever Chromebook. When Will Drewry and Kan Liu, two of Chrome OS’s founding fathers, sent it to security researchers, the feedback was more about issues with the trackpad.

Josh Miller/CNET

There was hardly a peep when it came to security flaws.

Nine years later, and Chromebooks are a smash success. Nearly three out of every five machines used in schools run the Chrome OS, according to researcher Futuresource Consulting.

In fact, Chromebooks are so successful in the education world that on Tuesday, Apple held its latest iPad unveiling at Chicago’s Lane Tech College Prep High School in an effort to re-establish its position in the area.

Thanks to the early focus on preventing cyberattacks, Chromebooks are also a hit with the security community. Security experts commonly recommend Chromebooks, whether it’s for the relative who somehow always ends up with spyware toolbars or the researcher heading to a hackers’ meetup.

And it’s not about complicated encryption or security tricks — Chromebooks have gained popularity through a combination of affordability and simple but effective security.

Take Jake Williams, the founder of Rendition Security. He not only uses a Chromebook, he also says he’s comforted by the fact that his daughter has one in school.

“I definitely feel like she is more safe on a Chromebook than a Windows laptop,” he said.


Heading to my first security conference last year, I expected to see a tricked-out laptop running on a virtual machine with a private network and security USB keys sticking out — perhaps something out of a scene from “Mr. Robot.”

That’s not what I got.

Everywhere I went I’d see small groups of people carrying Chromebooks, and they’d tell me that when heading into unknown territory it was their travel device.

Google’s laptop brand first debuted in 2010 as a stripped-down computer with the web browser as the main operating system. Back then, Chromebooks were slow to gain acceptance because of their closed ecosystem, which meant an inability to download programs from the internet. But Chromebooks have now outsold both Windows and Mac laptops.

Alongside the bare-bones OS came a set of security features that, more than five years later, companies like Microsoft are still trying to catch up to. Fewer software choices mean limited options for hackers.

Those are some of the benefits that have led security researchers to warm up to the laptops.

“Chromebooks have a lot of strong security defaults,” said Jessy Irwin, a security expert and head of security at Tendermint. “In security, everyone blames the user for being at fault. But Google’s approach is really great because it makes it less likely for the user to mess up.”

In response, Microsoft introduced Windows 10 S, a locked-down version of its operating system that can run apps only from its approved app store. A spokeswoman for Microsoft called Windows 10 S computers “a compelling value prop against Chromebook” for security and functionality.

Chrome OS takes an approach to security that’s similar to the one Apple takes with iOS and its closed ecosystem. An Apple spokesman said the company’s iPads have the “same industry-leading protections” as the iPhone.

But there’s a major difference in price. Chromebooks are cheap compared with iPads, which at their cheapest, are still $329. MacBooks, however, are open like traditional Windows PCs and are also much more expensive.

“If I dropped $2,000 on a nice Macbook Pro, and it gets lost or confiscated or stolen, I’d lose my mind,” White said. “If my $150, $160 Samsung Chromebook did, then whatever, no big deal.”

That’s not to say Chrome OS is impervious to malware. Cybercriminals have figured out loopholes through Chrome’s extensions, like when 37,000 devices were hit by the fake version of AdBlock Plus. Malicious Android apps have also been able to sneak through the Play Store.

But Chrome OS users mostly avoided massive cyberattack campaigns like getting locked up with ransomware or hijacked to become part of a botnet. Major security flaws for Chrome OS, like ones that would give an attacker complete control, are so rare that Google offers rewards up to $200,000 to anyone who can hack the system.

Security in simplicity

The Chrome OS team in 2014. Kan Liu, one of the original members, sits on the top right in a white shirt.


While you can keep your computer secure through safe practices, antivirus scans and beefing up your settings, Google sought to create the most secure system right from the first boot, assembly not required.

“If you want prehardened security, then Chromebooks are it,” said Kenneth White, director of the Open Crypto Audit Project. “Not because they’re Google, but because Chrome OS was developed for years and it explicitly had web security as a core design principle.”

It goes back to what Liu, Drewry and the rest of the original Chrome OS team envisioned when creating a new breed of laptops.

The three design requirements for the Chromebook were “simplicity, security and speed


Leave a Reply

Your email address will not be published. Required fields are marked *