Amazon published a fix as part of its 5.13.5 version of Kindle firmware in April 2021
Amazon has addressed a critical vulnerability in its Kindle e-book reader platform which could have been potentially exploited to take full control over a user’s device leading to the theft of sensitive information by simply deploying a malicious e-book.
According to Yaniv Balmas, head of cyber research at Check Point, by sending Kindle users a single malicious e-book, it is possible for an attacker to steal any information stored on the device such as Amazon account credentials to billing information.
The security vulnerabilities also allow an attacker to target a very specific audience. So, if the attacker wants to select a specific group of people or demographic, it is possible for him to choose a popular e-book in a language or dialect which is largely spoken among the group to plan a highly targeted cyber-attack.
The issue was disclosed to Amazon in February 2021, and the retail and entertainment giant published a fix as part of its 5.13.5 version of Kindle firmware in April 2021.
The threat actors who exploits the flaw, can send a malicious e-book to an intended victim, who when opening the book, triggers the infection sequence sans any interaction, allowing the attacker to delete the user’s library, gain full access to the Amazon account, or convert the Kindle into a bot for striking other devices in the target’s local network.
The issue resides in the firmware’s e-book parsing framework, specifically in the implementation associated with how PDF documents are opened, permitting an attacker to execute a malicious payload on the device.
This is done due to a heap overflow vulnerability in the PDF rendering function (CVE-2021-30354), which can be leveraged to gain arbitrary write primitive, and a local privilege escalation flaw in the Kindle application manager service (CVE-2021-30355) that enables the threat actor to chain the two flaws to run malware-laced code as a root user.
Balmas stated that Kindle are often thought of as harmless and disregarded as security risks. But these IoT devices are vulnerable to the same attacks as computers. Users must be aware of the cyber risks in using anything connected to the computer, especially something as popular as Amazon’s Kindle.