What you need to know
- Google is working on bringing data access protection for PCI devices to Chrome OS.
- Recent commits spotted on the Chromium Gerrit include references to a new Chrome OS component that restricts data access from external PCI devices.
- The security feature could make its way to Chromebooks later this year.
Google is working on a new security feature for Chrome OS, which will prevent externally connected peripherals from accessing data stored on your Chromebook. The folks over at Android Police have discovered a series of commits on the Chromium Gerrit that include references to a new Chrome OS component called Pciguard. The new component restricts data access from external PCI devices that use Thunderbolt 3 or USB4.
If you're on the Chrome OS Canary channel, you can already protect your data by enabling the experimental chrome://flags/#enable-pci-guard-ui from the drop-down menu. Once you restart your Chromebook, you should see a new toggle for Data access protection in Chrome OS settings.
Here's how the feature actually works:
After plugging in an external PCI device, the Chrome OS Type-C daemon collects low-level information about it—such as if the peripheral supports Thunderbolt—and forwards the data to the Typecd D-Bus client. PciePeripheralManager will then observe the D-bus client for events and use it to send notifications to the system tray. If the user is on a guest account and connects a thunderbolt-only peripheral, Chrome OS will block data access due to security risks with direct memory access. USB4 devices will continue to work, albeit with limited performance.
After you enable the feature, your data will no longer be vulnerable to unauthorized access from peripherals. However, you may have to disable it for some devices to work properly. Since it doesn't require any special hardware, enhanced peripheral protection won't be limited to just the best Chromebooks. The security feature is likely to make its way to all recent Chromebooks sometime later this year.
