Security: Lock function is not working with external screen attached
Reported by
jur...@jurjendevries.com,
Mar 30 2018
|
|||||
Issue descriptionVULNERABILITY DETAILS When an external screen is attached to a Chromebook, the setting "Show lock screen when waking from sleep" enabled in combination with the setting "Sleep when lid is closed" enabled is not working. The second screen is overruling the setting, while there is not setting for this and from user perspective to this settings it is expected to be protected when closing the lid. This situation can even happen when the second screen is in standby and not displaying the output. VERSION Chrome Version: 64.0.3282.190 (Official Build) (64-bit) stable Operating System: Chrome OS 64.0.3282.190 (Official Build) (64-bit) stable REPRODUCTION CASE 1. Start a session at a Chromebook (in my case a Pixelbook) 2. Go to settings "Show lock screen when waking from sleep" and be sure it is enabled 3. Go to settings "Sleep when lid is closed" and be sure it is enabled. 4. Connect an external screen. In my case a HDMI iiyama ProLite E2483HS monitor. Optionally you can have the monitor be powered off, so you don't mention your computer is still unlocked. 5. Close the screen of the Chromebook. From here on you will expect it is going in sleep mode. 6. Open the screen of the Chromebook. The Chromebook isn't locked.
,
Apr 3 2018
I think this is working as intended, though "intended" here could be un-intuitive. This is what we call "dock mode", and it definitely intends to keep the screen unlocked when you close the lid with an external monitor connected, and keep the screen unlocked when you re-open the lid. The idea here being that folks who dock their computers and use them with an external monitor and keyboard/mouse combo want this behaviour: lock the screen when nothing is connected to it, but let me keep working when something *is* connected. Using this as part of an attack would require physical access to the computer, and moreover would require the victim to not notice that there was a monitor on their desk, and if there were, to not notice that it was plugged in into their computer. This appears to be a little far-fetched. One interesting corner case is that, at least on a MacBook Pro, if you plug an external monitor, see your desktop extended to said external monitor, disconnect the external monitor, and then open the lid back, the screen won't be locked. I don't have a Chromebook with a DP port here to test. Maybe the behaviour is the same. You could argue that if the monitor is disconnected while the lid is closed, the computer should lock the screen. Given that the original report doesn't cover this corner case, this really is WAI, and at most SecSev-Low. Will leave open for discussion for a little bit.
,
Apr 3 2018
Perhaps we could update settings descriptions (in particular "Sleep when lid is closed") to make this behavior more predictable? Definitely agree we don't want to break docked mode.
,
Apr 4 2018
,
May 3 2018
Updating setting descriptions would be a functional rather than a security issue. removing restrictions.
,
Nov 21
We haven't had any other reports of this, I think most users understand the intended behavior. I'll close. |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by elawrence@chromium.org
, Mar 30 2018Labels: OS-Chrome