The problem made Kindle devices vulnerable to malicious eBooks and currently there is no way to tell if the bug has been exploited. The company released a patch for Kindle firmware in April to automatically update devices connected to the Internet.
Slava Makkaveev stated that anti-virus software does not contain signatures for eBooks. He continued, âA malicious eBook can be self-published and made available for free access in any virtual library, including the Kindle Store, or sent directly to the end-user device via Amazon ‘send’ to the Kindle -Service”.
In the area of ââmalicious e-books, Check Point’s security researchers have developed a feasibility study that can execute hidden commands with root privileges. The attack begins when a victim clicks on the malicious e-book, after which a remote server connects to the user’s computer and locks the screen, Check Point said. Once the malware establishes root access, the attacker gains access to the user’s Amazon account, cookies, and private keys.
Cyber ââcriminals can carry out targeted demographic attacks
Another unfortunate effect of the Kindle issue was that it allowed threat actors to target their victims based on, for example, language or location. According to Yaniv Balmas, head of cyber research at Check Point, targeting the Romanian Kindle is easy: reprinting a popular title translated into Romanian can result in gaining access to the victim’s device .
As part of its bug bounty program, Amazon recently awarded threat hunter Yogev Bar-On $ 18,000 for detecting KindleDrip. It was a vulnerability that allowed attackers to send a malicious electronic book to a victim’s Kindle device and gain root access to the device, allowing them to steal money.
The Check Point study provides a proof of concept for easy-to-execute malicious e-book attacks. According to Balmas, kindles are so widespread in the market that their safety needs to be thoroughly researched.