Customers opening books in their Amazon Kindle e-books could also be opening a channel to receive malware, according to new research from Check Point.
A bug in Amazon’s Kindle e-books can allow an attacker to smuggle malware and gain root access to a victim’s device, steal tokens, steal or delete other sensitive data like billing information and Amazon account credentials, or even turn your internet-connected Kindle into a vector to attack the rest of your network.
“While you might not be happy with the writing in a particular book, nobody expects to download one that is malicious,” wrote Check Point security researcher Slava Makkaveev.
In a virtual presentation at the Def Con hacker conference, Makkaveev said previous research has suggested that a phishing attack was the most practical vector to attack a Kindle, but downloading an e-book through a browser, or app, through email or a USB drive is actually the quickest way for malicious actors to reach these devices.
“Typically, users connect their Kindle devices to a Wi-Fi network and Wi-Fi protocols that can be used as an entry point to attack the Kindle, but using an e-ook to reach the device is much easier and mass attackers are possible,” he said.
Amazon Kindles are essentially composed of a Linux kernel with native Busybox programs, interprocess communication LIPC subsystem for interprocess communication and Java apps and HTML/Javascript for the user interface. The LIPC library links all these components together. Makkaveev found that the multi-step process for parsing those e-books were vulnerable to attack that would lead to root access.
“Kindle, like other IoT devices, are often thought of as innocuous and disregarded as security risks,” Yaniv Balmas, the firm’s head of cyber research, said in a statement. “But our research demonstrates that any electronic device, at the end of the day, is some form of computer. And as such, these IoT devices are vulnerable to the same attacks as computers.”
To be clear, the malware isn’t likely to show up in your favorite mainstream author’s e-book download. It would need to be inserted into a new, self-published book or one sent directly to the victim’s Kindle device, two things that could reduce the overall pool of potential victims. Additionally, Check Point researchers notified Amazon in February and an automatic firmware update fixed the issue in April.
But the research highlights the nearly non-existent security around e-book downloads. The report notes that “no such scenarios have been publicized. Antiviruses do not have signatures for e-books.”
In his talk, Makkaveev said most of these libraries only check to ensure the integrity of the metadata and book content itself “so if you upload an e-book from an online library, you can never be sure of its content.”
Hard numbers for the number of Kindle devices in circulation are hard to come by, as Amazon has only said that it has sold “tens of millions” of such devices since their inception. Wirecutter, The New York Times’ product review site, listed Amazon’s Kindle Whitepaper device as the top e-book reader on the market.
