Check Point Research found security flaws in Amazon Kindle, which confirm that it could be hacked using a single malicious ebook. Researchers feared that these vulnerabilities would allow targeting of specific demographics.
Check Point Research, a leading provider of cybersecurity solutions worldwide, found security flaws in Amazon Kindle, the world’s most popular e-reader.
If hacked, they would have allowed a cybercriminal to take full control of a user’s Kindle and to steal the device’s token or other sensitive information stored on the device, such as bank details.
It is worth mentioning that the vulnerability is triggered by downloading a malicious ebook on a Kindle device.
“We have found vulnerabilities in Kindle that would have allowed a cybercriminal to take full control of the device. By sending Kindle users a malicious ebook, he could have stolen any information stored on it, from Amazon account credentials to banking information,” warns Gery Coronel, country manager for the South Latin America Region at Check Point Software.
He also notes that “Kindle, like other IoT devices, are usually considered innocuous and are not considered as security risks. But our research shows that any electronic device is vulnerable to attack. Everyone should be aware of the cyber risks of using any computer-connected item, especially something as ubiquitous as Amazon’s Kindle.”
Since 2007, Amazon has sold tens of millions of Kindles, many users of which could potentially have been breached through a bug in its software. These devices could become bots or compromise their private local networks or even their billing account information could be stolen.
The easiest way to remotely access a user’s Kindle is through an ebook. Indeed, it is possible to publish a malicious book and make it available for free access in any virtual library, including the Kindle Store, through the “self-publishing” service, or send it directly to the end user’s device through Amazon’s “ship to Kindle” service.
This hack involves sending the malicious ebook to the victim who, if opened, initiates the malware chain. No further prompting or interaction is required to execute the exploit.
Check Point Research has shown that one of these could be turned into malware against Kindle, leading to a number of consequences such as, for example, the deletion of a user’s ebooks or the Kindle being turned into a malicious bot, allowing it to attack other devices on the user’s local network.
Targeting demographics based on language
The security flaws could eventually make it tremendously easy for a cybercriminal to target a very specific audience for any type of attack, which is of considerable concern to CPR researchers.
For example, if the attacker wanted to target a particular group of people or they were in a particular demographic location, they would only need to select a popular e-book in the relevant one to orchestrate a very precise cyberattack.
CPR already disclosed its findings to Amazon in February 2021. The company deployed a fix in version 5.13.5 of the Kindle firmware update in April 2021. The patched firmware is automatically installed on Internet-connected devices.
“In this case, what alarmed us most was the degree of accuracy of the potentially targeted victim. These security vulnerabilities make it possible to target a very specific audience. To use a random example, if a cybercriminal wanted to target Romanian citizens, all he would have to do is publish some free and popular e-book in the Romanian language,” Coronel points out.
And he details that “from there, he could be pretty sure that all his victims would indeed be from this country: that degree of specificity in offensive attack capabilities is highly sought after in the world of cybercrime and cyberespionage.”
“In the wrong hands, those offensive capabilities could cause serious damage, which was of great concern to us. Once again, we have demonstrated that we can find these types of security vulnerabilities to ensure that they are mitigated before ‘real’ attackers have the opportunity to exploit them,” the specialist completes.