Amazon Kindle Exposed to Malicious eBooks
In February, security experts from Check Point disclosed a critical flaw to Amazon that may allow an attacker to take control of Kindle devices and collect personal information, according to Threat Post.
The issue made Kindle devices vulnerable to malicious eBooks and currently, there is no way to tell if the flaw was exploited. The company released a patch for the Kindle’s firmware in April so that devices connected to the Internet are automatically updated.
Slava Makkaveev stated that anti-virus software does not include signatures for eBooks. He further explained that “A malicious eBook can be published and made available for free access in any virtual library, including the Kindle Store, via the ‘self-publishing’ service, or sent directly to the end-user device via the Amazon ‘send to Kindle’ service”.
In the area of malicious e-books, Check Point security researchers built a proof-of-concept implementation capable of executing hidden commands with root rights. The attack begins when a victim clicks on the malicious ebook, at which point a remote server connects to the user’s computer and locks the screen, Check Point said. Once the malware establishes root access, the attacker gains access to the user’s Amazon account, cookies, and private keys.
Cybercriminals can carry out targeted demographic attacks
An additional unfortunate effect of the Kindle problem was that it enabled threat actors to target their victims based on language or location, for instance. According to Yaniv Balmas, head of cyber research at Check Point, targeting Romanian Kindle is easy: Reprinting a popular title translated into Romanian can lead to gaining access to the victim’s device.
As part of its bug bounty program, Amazon recently awarded threat hunter Yogev Bar-On $18,000 for uncovering KindleDrip. It was a vulnerability that allowed attackers to send a malicious electronic book to a victim’s Kindle device and gain root access to the device, allowing them to steal money.
The Check Point study provides proof of concept for malicious e-book attacks that are easy to execute. Kindles have become so prevalent in the market that their security needs to be thoroughly investigated, according to Balmas.