E-Book as Malware: Research shows how Amazon Kindle Vulnerabilities led to victim exploitation

Check Point Research (CPR) found security flaws in Amazon Kindle. The research read that a threat actor could trick victims into opening a malicious e-book. It leveraged the flaws in the Kindle reader to target specific demographics and take full control of a Kindle device; opening a path to stealing information stored. It could also result in the possible theft of Amazon device tokens and/or other sensitive information from the device. Victims would need to simply open a single malicious e-book to trigger the exploitation.

The research org will also demonstrate the exploitation at this year’s DEF CON conference in Las Vegas. The former also stated that after it disclosed its findings to Amazon in February 2021, Amazon deployed a fix in the 5.13.5 version of Kindle’s firmware update in April 2021. The patched firmware installs automatically on devices connected to the Internet.

Yaniv Balmas, Head of Cyber Research at Check Point Software, “Kindle, like other IoT devices, is often thought of as innocuous and disregarded as security risks. But our research demonstrates that any electronic device, at the end of the day, is some form of computer. And as such, these IoT devices are vulnerable to the same attacks as computers. Everyone should know about the cyber risks in using anything that connects to the computer, especially something as ubiquitous as Amazon’s Kindle. In this case, what alarmed us the most was the degree of victim specificity that the exploitation could have occurred in.”

E-Book as Malware

The exploitation involves sending a malicious e-book to a victim. Once the e-book reached the victim, he/she simply needs to open it to start the exploit chain. To execute the exploitation, the victim does not need any other indication or interactions. CPR proved that the concept of e-book malware against Kindle would lead to a range of consequences. For example, an attacker could delete a user’s e-books. They could convert the Kindle into a malicious bot, enabling them to attack other devices in the user’s local network.

Targeting Demographics by Language

The security flaws naturally allow a threat actor to target a very specific audience, which significantly concerned CPR. For example, if a threat actor wanted to target a specific group of people or demographic, the threat actor could easily select a popular e-book in the correlating language or dialect to orchestrate a highly targeted cyber attack.

“Naturally, the security vulnerabilities allow an attacker to target a very specific audience,” Yaniv further added. “To use a random example, if a threat actor wanted to target Romanian citizens, all they would need to do is publish some free and popular e-book in the Romanian language. From there, the threat actor could be pretty certain that all of its victims would, indeed, be Romanian; many attackers sought that degree of specificity in offensive attack capabilities in the cybercrime and cyber-espionage world.”

“In the wrong hands, those offensive capabilities could do some serious damage, which concerned us immensely. Once again, we showed that we can find these types of security vulnerabilities to make sure they are mitigated before the ‘real’ attackers have the opportunity to do so. Amazon was cooperative throughout our coordinate disclosure process. We’re glad they deployed a patch for these security issues,” he concluded.