Kindle bug could have given hackers control of the device

All connected devices are technically prone to bad actors, but Amazon’s Kindle e-readers aren’t exactly the first devices that spring to mind when one thinks of a security risk. However, researchers have found that Kindles had bugs that would have allowed hackers to take control of the device – and everything it would have require is malware disguised as an e-book.

The shortcomings were discovered and exposed by Check Point Research, a well-known security company. The vulnerabilities were found in how the device analyzes e-books and, if exploited, could allow hackers not only to control a user’s Kindle but also to steal sensitive information. like your Amazon account credentials or billing information. Attackers could also wipe your entire library or turn your Kindle into a bot that attacks other devices on your local network. The only thing a potential victim would have to do is download and open an e-book containing malware.

You may think that’s unlikely, but self-published authors are constantly uploading their own e-books to Amazon’s official Kindle store. Anyone who uses an e-reader frequently will tell you they are out there multiple ways to load non-Amazon content on a Kindle. Why you’d want to bypass the Amazon store is as easy as reading a title that isn’t yet natively formatted for a Kindle. Or maybe you want to sideload a title that has not yet been translated into your language by official sources. And as CPR points out, nobody expects to download a malicious e-book.

“What worried us most in this case was the degree of victim specificity to which the exploitation might have occurred. The security gaps naturally enable an attacker to address a very specific target group. ” Yaniv Balmas, director of cyber research at Check Point Software, said in a statement. Balmas stated that bad actors could easily target speakers of a particular language. To address Romanians, for example, all they need to do is publish a popular book in e-book format in that language. Since most of the people downloading this book would likely speak Romanian, a hacker could be sure that almost all of the victims are Romanians.

“This degree of specificity for offensive attack possibilities is very much in demand in the world of cyber crime and cyber espionage. In the wrong hands, these offensive skills could cause serious damage, which worried us very much, ”said Balmas.

Fortunately, this exploit does not appear to have been used in the wild. According to CPR, Amazon disclosed the vulnerabilities in February 2021, and in April a patch was enforced in Kindle firmware update 5.13.5. As long as your Kindle has had internet access since then, you should be using the latest software.

“Our research shows that every electronic device is ultimately some kind of computer,” said Balmas. “And as such, these IoT devices are vulnerable to the same attacks as computers. Everyone should be aware of the cyber risks associated with computers, especially something as ubiquitous as Amazon’s Kindle. ”