Out of the box, they only accept Google OS updates. For reference, the OS is basically Gentoo+Chrome.

If you've a mind to, you can put the Chromebook in "developer mode" with a magic sequence of commands (requiring physical access as it's a boot procedure). This gives you root. To protect naive users from being exploited, a Chromebook in developer mode will display a nasty warning on boot. This warning lingers on the screen for an annoying amount of time, accompanied by a beep. The only way (and it's undocumented) of skipping the wait and the beep is with Ctrl-D; pressing any other key while on this screen results in the Chromebook being completely reset. All this is to ensure that it's virtually impossible to run under developer mode unintentionally.

If all this gets too annoying and you want to use the Chromebook as a fully general device, you can blow it away by replacing the bootloader. Doing this requires disabling write-protection on the flash, which requires opening the case.

Disclaimer: I own a Samsung ARM Chromebook. For all I know the precise details may vary across the Chromebook line, though I believe they all work similarly. Fuller details are here: https://www.chromium.org/chromium-os/developer-information-f...

Interesting, but from your description it sounds like if I can get my hands on someone else's Chromebook I can still put it into developer mode and install my own software on it, right? Sure, this mostly prevents someone from using a Chromebook that someone else installed malicious software on, though if that other person had time to open the case they could even get around that. But this doesn't solve the case of I have a device with private info on it, you get the device, and want to bypass the security measures on the device to get at my data. Or in other words, it doesn't solve the situation seen in the recent Apple vs FBI case.