Check Point Research (CPR) found security flaws in Amazon Kindle, the world’s most popular e-reader. By tricking victims into opening a malicious e-book, a threat actor could have leveraged the flaws to target specific demographics and take full control of a Kindle device, opening a path to stealing information stored.
Victims would need to simply open a single malicious e-book to trigger the exploitation
CPR was concerned the security flaws could allow targeting of specific demographics
CPR responsibly disclosed its findings to Amazon, who went on to deploy a fix
Tens of millions of Kindles are estimated to have been sold since 2007 debut
Check Point Research (CPR) found security flaws in Amazon Kindle, the world’s most popular e-reader. If exploited, the flaws would have enabled a threat actor to take full control over a user’s Kindle, resulting in the possible theft of Amazon device token, or other sensitive information stored on the device. The exploitation is triggered by deploying a single malicious e-book on a Kindle device.
CPR is scheduled to demonstrate the exploitation at this year’s DEF CON conference in Las Vegas.
E-Book as Malware
The exploitation involves sending a malicious e-book to a victim. Once the e-book is delivered, the victim simply needs to open it to start the exploit chain. No other indication or interactions are required on behalf of the victim to execute the exploitation. CPR proved that an e-book could have been used as malware against Kindle, leading to a range of consequences. For example, an attacker could delete a user’s e-books, or convert the Kindle into a malicious bot, enabling them to attack other devices in the user’s local network.
Targeting Demographics by Language
The security flaws naturally allow a threat actor to target a very specific audience, which significantly concerned CPR. For example, if a threat actor wanted to target a specific group of people or demographic, the threat actor could easily select a popular e-book in the correlating language or dialect to orchestrate a highly targeted cyber attack.
CPR disclosed its findings to Amazon in February 2021. Amazon deployed a fix in the 5.13.5 version of Kindle’s firmware update in April 2021. The patched firmware installs automatically on devices connected to the Internet.
Quote: Yaniv Balmas, Head of Cyber Research at Check Point Software:
“We found vulnerabilities in Kindle that would have allowed an attacker to take full control of the device. By sending Kindle users a single malicious e-book, a threat actor could have stolen any information stored on the device, from Amazon account credentials to billing information. Kindle, like other IoT devices, are often thought of as innocuous and disregarded as security risks. But our research demonstrates that any electronic device, at the end of the day, is some form of computer. And as such, these IoT devices are vulnerable to the same attacks as computers. Everyone should be aware of the cyber risks in using anything connected to the computer, especially something as ubiquitous as Amazon’s Kindle.
In this case, what alarmed us the most was the degree of victim specificity that the exploitation could have occurred in. Naturally, the security vulnerabilities allow an attacker to target a very specific audience. To use a random example, if a threat actor wanted to target Romanian citizens, all they would need to do is publish some free and popular e-book in the Romanian language. From there, the threat actor could be pretty certain that all of its victims would, indeed, be Romanian – that degree of specificity in offensive attack capabilities is very sought after in the cybercrime and cyber espionage world. In the wrong hands, those offensive capabilities could do some serious damage, which concerned us immensely. Once again, we showed that we can find these types of security vulnerabilities to make sure they are mitigated for, before the ‘real’ attackers have the opportunity to do so.
Amazon was cooperative throughout our coordinated disclosure process, and we’re glad they deployed a patch for these security issues.”