A group of cyber-security researchers identified security vulnerabilities in the Amazon Kindle, a popular e-reading device, that might have allowed attackers to take complete control of the device, allowing them to steal information stored on it.
According to a Check Point Research (CPR) team, a threat actor might have used the security flaws to target specific demographics and gain full control of a Kindle device by luring victims into accessing a malicious e-book.
The researchers revealed to Amazon of their findings, and in April of this year and Amazon released a patch via a Kindle firmware upgrade. On devices that are connected to the Internet, the patched firmware is installed automatically.
Yaniv Balmas, Head of Cyber Research at Check Point Software, said “By sending Kindle users a single malicious e-book, a threat actor could have stolen any information stored on the device, from Amazon account credentials to billing information,”
The Kindle, like other Internet of Things devices, is frequently dismissed as a security risk.
Balmas added “But our research demonstrates that any electronic device, at the end of the day, is some form of computer. And as such, these IoT devices are vulnerable to the same attacks as computers,”
A malicious e-book is sent to a victim as part of the exploitation.
The victim only needs to open the e-book after it has been delivered to begin the exploit chain.
To execute the exploitation, the victim does not need to give any other indication or interactions.
The researchers demonstrated that an e-book may have been exploited as malware against Kindle, resulting in consequences.
An hacker could, for example, delete a user’s e-books or turn the Kindle into a malicious bot that could attack other devices on the user’s local network.
The CPR team noted that “Amazon was cooperative throughout our coordinated disclosure process, and we’re glad they deployed a patch for these security issues,”