Amazon Kindle flaws could have allowed attackers to control the device

Now patched by Amazon, security vulnerabilities found by Check Point would have given attackers access to a Kindle device and its stored data.

kindle.jpg

Image: Amazon

Amazon Kindle owners could have exposed themselves to a remote control attack simply by opening the wrong e-book. In a report published on Friday, cybersecurity provider Check Point said that it discovered security holes in the Kindle that would have helped a cybercriminal take full control of the device, potentially leading to the theft of sensitive information including the Amazon device token, a unique key used to route messages and other notifications.

SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)  

More about cybersecurity

In February 2021, Check Point alerted Amazon to its findings, prompting the company to roll out a fix in version 5.13.5 version of the Kindle’s firmware update in April 2021. The update automatically is installed on Kindle devices when connected to the internet.

“We have released automatic software updates to fix these issues for all Amazon Kindle models introduced after 2012,” an Amazon spokesperson told TechRepublic. “We appreciate the work of independent security researchers who help bring potential issues to our attention.”

To check the firmware version on your Kindle, go to Settings, select Menu, and then tap Device Info. Check Point also advises Kindle users to apply common sense and not open or download any e-books that look suspicious or come from untrusted sources.

Before Amazon patched the security flaws, a Kindle user could have unknowingly triggered the exploit just by opening a malicious e-book sent by the attacker, Check Point said. No other action would have been required. With the vulnerabilities exploited, an attacker could have gained remote control to delete a user’s e-books and even turn the Kindle into a malicious bot to attack other devices on the user’s network.

By using a malicious e-book, the attacker also could have targeted a specific audience. In one example cited by Yaniv Balmas, head of cyber research at Check Point Software, a cybercriminal who wanted to target Romanian citizens would simply need to publish some free and popular e-books written in Romanian. The attacker would then be fairly certain that the potential victims would all be Romanian, a type of knowledge that would help them launch further malicious campaigns against these users.

“Kindle, like other IoT devices, are often thought of as innocuous and disregarded as security risks,” Balmas said. “But our research demonstrates that any electronic device, at the end of the day, is some form of computer. And as such, these IoT devices are vulnerable to the same attacks as computers. Everyone should be aware of the cyber risks in using anything connected to the computer, especially something as ubiquitous as Amazon’s Kindle.”

Editor’s note: This article has been updated with additional information and comment.

Also see