An investigation by Check Point Research has found that a security vulnerability in Amazon’s Kindle e-reader could have allowed attackers to take over devices using maliciously crafted e-books.
The cyber threat intelligence firm converted an ebook into malware that could lock users out of their devices and steal personal information, including billing details.
“A malicious book can be published and made available for free access in any virtual library, including the Kindle Store, via the ‘self-publishing’ service, or sent directly to the end-user device via the Amazon ‘send to kindle’ service,” Check Point research Slava Makkaveev explained.
According to Makkaveev, anti-virus software does not currently have signatures for e-books, which means it cannot pick up when these files have been modified with malicious code.
“While you might not be happy with the writing in a particular book, nobody expects to download one that is malicious. No such scenarios have been publicised,” Makkaveev said.
Check Point’s proof-of-concept e-book was able to execute a hidden code with root rights.
Once the user clicks on the e-book, a remote server is connected to their device and locks the screen.
The malware then establishes root access, providing the attacker access to the user’s Amazon account, private keys, and cookies.
In addition, the attacker could delete e-books and convert Kindles into bots that can attack other devices in local networks.
Head of cyber research at Check Point, Yani Balmas, told Threat Post what was alarming about the vulnerability was the degree of victim specificity it could exploit.
For example, an attacker interested in targeting a particular country could reprint a popular title translated in that country’s language to gain easy access to victims.
“That degree of specificity in offensive attack capabilities is very sought-after in the cybercrime and cyber-espionage world,” Balmas said.
“In the wrong hands, those offensive capabilities could do some serious damage, which concerned us immensely.”
Check Point reported the issues to Amazon in February 2021, and the company fixed the bug with Kindle firmware update 5.13.5, which was rolled out in April 2021.
Kindle patches are automatically downloaded and applied whenever a device is connected to the Internet.
There was no way to confirm whether attackers exploited the vulnerability before the update was implemented, however.