Amazon addresses vulnerability in its kindle e-book reader
Amazon’s Kindle e-reader was vulnerable to malicious eBooks due to a security flaw, allowing full control and leading to the compromise of personal information and other sensitive data.
The head of Cyber research at Check Point software technologies, Yaniv Balmas, stated that by sending a malicious e-book to a kindle user, an adversary could steal critical information from the device. He further stated that the security flaws would enable the threat actor to target a specific audience.
Amazon, in April 2021, took immediate action when the flaw was disclosed, and it issued a fix to be a part of the 5.13.5 version of Kindle firmware.
Successful exploitation of the Kindle flaw could allow an attacker to send malicious e-book to a targeted victim, allowing the adversary to perform actions like deleting the user’s library, gaining complete access to the Amazon account, or converting the Kindle into a bot for infecting other devices that are part of the network.
Balmas also created a malicious e-book that leveraged the flaw in the Kindle OS, which was not restricting the quantity of code being written on the device. This bug, known as the heap overflow bug, allowed memory parts to be overwritten. Another flaw was also identified, where he got access to the root rights, giving him complete control over the amazon device.
This marks another patch in this arena, as earlier in January too this year, Amazon fixed similar issues. Balmas also pointed out that Kindle’s security is often overlooked, where these devices are exposed to attacks just like ordinary computers. So awareness in this regard is highly advised.