The Amazon Kindle is the world’s most popular e-reading device. When the company’s e-reader debuted in 2007, priced at $399, it sold out in six hours. Traditionalists were concerned that e-readers would herald the end of physical books. Physical book sales have fallen since then. Digital reading options are popular. What else is in high demand? A virus-free reading experience.
Check Point Research researchers discovered a vulnerability in Kindle e-readers that could allow hackers to take over the device, delete data, and potentially gain access to Amazon account information. On their website, the group has posted an extensive review of the work they have done to discover vulnerabilities in the e-reader, describing what they discovered and disclosing what Amazon has done to correct the problem.
E-readers are portable electronic devices that allow users to read the downloaded text—they can read PDF files or books formatted specifically for e-readers. They are typically thin and light, with screens designed to make text look identical to printed pages. Amazon began developing an e-reader in 2004 and released the first Kindle in 2007. Since then, the company has released a popular line of Kindle devices. The researchers discovered a vulnerability in the latest version of the Kindle e-reader that allows hackers to break into the device by attaching code to an e-book they created.
A team of researchers has discovered a vulnerability in Kindle e-readers—one that could allow hackers to take over the device, delete data and potentially gain access to Amazon account information.
Amazon addressed a critical vulnerability in its Kindle book reader platform in April. The bug could have allowed hackers to upload malicious content, prompting readers to download the files. As a result, the files would spread malware.
The tainted code would grant hackers complete control of the device. As a result, there was a high risk of account manipulation and theft. Furthermore, hackers may have gained access to payment information inadvertently.
These security flaws were discovered by Check Point Research (CPR). CPR reported their findings to Amazon, who then released a fix in the 5.13.5 version of Kindle firmware. Researchers will demonstrate how the exploit worked at this year’s DEF CON event in Las Vegas. Furthermore, attendees at the conference include FBI agents, international cybersecurity organizations, and top companies in the field who have a vested interest in this vulnerability.
The vulnerability was discovered in the firmware and was determined to be related to a heap overflow in the firmware code responsible for rendering PDF files, as well as a flaw in the code responsible for escalating local privileges on the device. It was discovered that a hacker could attach code to a book they had written and then send it to an unwitting victim. When the e-book was opened, code would be executed, granting the hacker complete control over the device. According to the researchers, such access could include not only stealing e-books but also preventing the user from accessing them or deleting those that have already been downloaded. It could also have allowed the hacker to access the user’s Amazon account information.
In some cases, hackers intend to target a particular demographic. For example, all people who speak a specific language or dialect. Hackers hoping to profit from this exploit could have tailored an e-book to the interests of a specific culture and then orchestrated a cyber attack. For example, all Star Trek fans who eagerly downloaded a new title in the fictional Klingon language may have also downloaded malware onto their devices, allowing hackers to snoop around. Apply the idea to a real language and culture.
Kindle, like many other aspects of the IoT world, appears to be a harmless platform. It is intended to provide educational and entertaining opportunities for people of all ages. However, research indicates that any electronic device with internet connectivity poses cyber risks.
Check Point notified Amazon of the vulnerability they discovered in February, and Amazon responded by issuing a patch in May—thus, the vulnerability does not currently pose a threat to Kindle owners; however, it does remind them that any device that connects to the Internet is vulnerable to hacking.
Readers should think about getting anti-malware software for their Kindle devices. Anti-malware solutions can run in the background and continuously scan for threats. Security safeguards may be especially important for those who use third-party apps on e-reader devices.