Why I use a Chromebook for CTFs and InfoSec

My Chrome OS Desktop

TLDR; I use a chromebook for ctfs and infosec and I love it. Here’s why.

What do you think of when you hear the word “chromebook”? Does a small bland laptop come to mind, akin to those found in public schools? Or maybe something closer to netbooks, lacking functionality and not meant for doing anything resembling real work.

Truth be told, that is what chromebooks were for a while. When they were first introduced in 2011, all a chromebook could do is browse the web and nothing more. Sure there was the chrome web store but it was basically just browser extensions with a GUI.

However, Chrome OS has come a long way being over a decade old since it was announced in 2009. Today, Chrome OS could give Windows or OSX a run for its money for basic tasks. Not to mention chromebooks have gotten a lot nicer with better build quality, longer battery life, and an overall snappier experience thanks to its optimization. Now I should state that I have used Windows 10, OSX, and multiple flavours of linux, and I am NOT bashing those operating systems. I have a Windows 10 laptop for gaming and other purposes, and there definitely are things that a chromebook cannot do but for this use case it is my go-to machine.

Regardless, where Chrome OS really shines is in web development. As of September 2018, Chrome OS version 69 was pushed into the stable channel and with it brought linux apps to chromebooks. This meant that for the first time, linux apps could be run natively instead of having to install and boot into a separate linux distribution on the machine. The beauty behind this was how it was integrated. From the user perspective, you could open a terminal within Chrome OS and install apps as you would on a linux machine. Those apps would then show up in your launcher with its own icons and everything. Not to mention you could access your linux home directory right from the file browser.

VMC stopping and starting containers

On the backend is where things were really interesting though. Although the user would just see a terminal and its apps, linux was actually running in a virtualized container in the background! Chrome OS used its own platform ‘vmc’ to start a lightweight virtual machine, and within that virtual machine it ran lxc containers. The cool thing is how they managed to map everything to make the experience seamless to the user. The user did not have to mess around with network routes, directory mapping, nothing.

This opened up a whole new use case for chromebooks as you could install word editors, web servers, frameworks, and access it all natively though the penguin.linux.test address in your browser.

Web Development on Chome OS

So thanks to linux support, besides being a snappy OS it now had an actual use case for work.

This is where I started to gravitate towards Chrome OS more than my Windows or OSX laptops.

After doing some research on the inner workings of Chrome OS and how it supported linux apps I had a great idea. If I can create a separate vm and container then add kali linux repos what would happen? I ended up with a chromebook that could run metasploit in a sandboxed environment.

Now I can hear all the skeptical people already, “So you can run security tools on a chromebook, so what? You could always just install a virtual machine on Windows or OSX”. But here’s where Chrome OS is different on an operating system level. All of chromebook’s security features still apply even when running linux apps.

There’s a reason that a lot of schools use chromebooks, they’re just easier to manage and service compared to other operating systems. I’ll leave a link to page explaining the security features of Chrome OS but to summarize it consists of:

  • Application sandboxing
  • Automatic updates (non-intrusive)
  • Hardware based Verified boot
  • Hardware based Data encryption
  • Easy recovery through powerwash

Through a mix of both software and hardware security measures, Chrome OS turns out to be a pretty secure platform.

This all ties in with why I use my chromebook for CTFs and InfoSec. My chromebook has all the tools I need, it’s in a sandboxed environment, and if I really need to I can just reset Chrome OS and log back in with all my settings and data. It’s a no hassle experience and I find it much easier to use than Windows, OSX, or even Linux as it would take some time to set up and get the containers and data backup working as nicely as it does in Chrome OS. (Yes, I’ve tried Docker too.)

Running Metaploit, Burp, and gobuster

My chromebook has become my daily machine and I’ve used it for CTF challenges, hackthebox, and just InfoSec tasks in general with peace of mind thanks to security in depth. So if web development or InfoSec is your thing, maybe give a chromebook a try.*

*don’t expect a $150 chromebook to do everything you want it to do. A $150 Windows laptop wouldn’t, so don’t ask for the impossible. You get what you pay for.

In the end disregarding all the technical stuff, I use my chromebook because I like the experience. Regardless of what OS you use, if it works for you then it works for you. This is just my take on an underrated use-case for Chrome OS. Thanks for reading.


My Chromebook: