Wednesday, 11 June 2014

Are Chromebooks insecure travel companions?

Do not connect a Chromebook to a public wireless network if you don't want to risk leaking personal information.

This advice is not some half-baked journalistic opinion but comes direct from the UK government’s National Technical Authority for Information Assurance (CESG).

The CESG advises that even for data with the lowest security classification [PDF], labelled 'OFFICIAL', Chromebooks are unsuitable for a number of reasons, one being that the Virtual Private Network (VPN) included is not up to scratch and there are no viable alternatives.

Yesterday the organisation published its End User Devices Security Guidance: Chrome OS, which states:
"The VPN has not been independently assured to Foundation Grade, and does not currently support some of the mandatory requirements expected from assured VPNs. The VPN can be disabled by the user and some Google traffic is sent prior to the VPN being established resulting in potential for data leakage onto untrusted networks. Without assurance in the VPN there is a risk that data transiting from the device could be compromised"
There is a similar warning in the Android guide that the in-built VPN for Android 4.4 has not been assured, although it does not appear to leak data automatically and there are alternatives available.

If you don't use a VPN when using public WiFi then you are at no greater risk when using a Chromebook than any other device, but if you are security conscious and want to stay safe when moving around at home and abroad it's better to stick with an Android tablet than move over to a Chromebook.