Security researchers from Check Point Research (CPR) have discovered security flaws in Amazon Kindle that could allow an attacker to obtain information stored on user devices if exploited.
In order to exploit these flaws in the world's most popular e-reader, an attacker would need to send a malicious e-book to a victim. Once this e-book has been delivered to a user's device, a potential victim simply needs to open it to start the exploit chain as no other user interaction is required.
During its testing, CPR demonstrated that an e-book could be used as malware on an Amazon Kindle which would allow an attacker to delete a user's e-book library or convert their device into a malicious bot enabling them to attack other devices on a user's local network.
- We've assembled a list of the best e-readers available
- These are the best VPN services on the market
- Also check out our roundup of the best antivirus
Additionally an attacker could potentially steal a Kindle's Amazon device token or other sensitive information stored on a user's e-reader.
Targeting a very specific audience
As the security flaws discovered by CPR use malicious e-books as an attack vector, a threat actor could target a very specific audience when launching their attacks.
For instance, if an attacker wanted to target a specific group of people or demographic, they could easily select a popular e-book in the correlating language or dialect to orchestrate a highly targeted cyber attack.
Thankfully though, CPR disclosed its findings to Amazon back in February and the ecommerce giant deployed a fix in April with the release of version 5.13.5 of the Kindle's firmware which installs automatically on all devices connected to the internet.
Head of cyber research at Check Point Software, Yaniv Balmas warned in a press release that Amazon Kindle as well as all IoT devices are just as vulnerable to cyberattacks as smartphones and computers, saying:
“We found vulnerabilities in Kindle that would have allowed an attacker to take full control of the device. By sending Kindle users a single malicious e-book, a threat actor could have stolen any information stored on the device, from Amazon account credentials to billing information. Kindle, like other IoT devices, are often thought of as innocuous and disregarded as security risks. But our research demonstrates that any electronic device, at the end of the day, is some form of computer. And as such, these IoT devices are vulnerable to the same attacks as computers. Everyone should be aware of the cyber risks in using anything connected to the computer, especially something as ubiquitous as Amazon’s Kindle.”
- We've also highlighted the best malware removal software
