Amazon Kindle Malware Ebooks: New-age Security Threats for Unsuspecting Users
Reading aficionados consider Amazon Kindle (many are more familiar with the term Kindle Fire) as one of the best inventions since the Gutenberg printing press. Between 2007 and 2018, Amazon sold between 20-90 million Kindles.
Its status as the world’s most popular e-reader notwithstanding, the Amazon Kindle was recently in the news for the wrong reasons. In August 2021, Check Point Research (CPR) revealed that security flaws in the device make users vulnerable to device hijack and information theft.
Worrying Findings in a Nutshell
According to CPR, Kindle’s security vulnerabilities create all sorts of problems for users. These flaws enable threat actors to leverage malicious ebooks to:
- Take full control of the device through root access
- Target users by specific demographics
- Steal their Amazon device token or other sensitive information stored on the Kindle
- Delete other ebooks
- Gain full access to the user’s Amazon account
- Convert the Kindle into a malicious bot and attack other devices on the local network
What is a Malicious Ebook?
Cybersecurity professionals are more used to thinking about malicious links, attachments or software. It’s not often that the words “malicious” and “ebook” are mentioned in the same sentence.
Well, now they are.
With the vulnerabilities discovered in the Amazon Kindle, we now know that malicious ebooks can also be leveraged as a threat vector to attack users, and steal their information. The CPR research team demonstrated exactly how this can happen by creating their own proof-of-concept (POC) malicious ebook. This ebook, once opened on a Kindle, could execute hidden code with root rights. It connects to a remote server controlled by the threat actor and locks the legitimate user’s screen so they lose control of the device. The cybercriminal can then run malicious payloads as root and access the resources on the device, including their Amazon account, cookies, and device private keys.
Malicious Ebooks and the Potential for Trouble
Malicious ebooks can be a huge cybersecurity problem. For one, they provide an easy, low-barrier way for threat actors to deliver malware. Any malicious actor can publish a malicious ebook, and make it available to unsuspecting users via the Kindle Store, Kindle’s self-publishing service, or any other virtual library. They can even send the ebook directly to the user’s device via Amazon’s ‘send to Kindle’ service.
Furthermore, if they provide the ebook for free, the chances of unaware users downloading it (because who doesn’t like free stuff) increase. Result: even more opportunities for the attacker to take advantage of a victim’s naivety and steal their information.
Another issue arises from the lack of antivirus[SMI1] solutions for malicious ebooks. Antivirus software works on the basis of virus signatures to identify viruses and protect devices, users, and networks. But the problem is that antivirus solutions do not contain virus signatures for malicious ebooks. So there’s nothing to stop the threat actor from carrying out their planned malware attack via this new threat vector.
Finally, scenarios about malware attacks through malicious ebooks have never been published before. No one expects to download a malicious ebook, or even knows that an ebook can be malicious in the first place. Clever cybercriminals take advantage of this lack of awareness to leverage malicious ebooks as their malware weapons of choice.
Crisis Averted or Postponed?
Although CPR released these findings to the public only in August 2021, they had already shared them with Amazon earlier, in February. Amazon fixed these reported vulnerabilities in the 5.13.5 version of Kindle’s firmware by April. So now, whenever Kindle devices connect to the Internet, the patched firmware will be downloaded automatically. Thus, CPR and Amazon managed to avert a major international cyber-crisis. Amazon also avoided what could have been a crushing blow to its reputation, not to mention Kindle sales.
Nonetheless, the potential for future trouble should not be ignored. Since there are millions of Kindle devices already in use, all these users can potentially be hacked. Opening a malicious ebook could download dangerous malware to their device. The e-reader can be turned into a malware bot that automatically steals their personal, sensitive or confidential information, and passes it on to a cybercriminal. This bad actor can then use this information for identity theft, blackmail, or any other kind of crime.
The malicious bot may even:
- Gather the user’s passwords to illegally access their Amazon account
- Impersonate the user to place orders via the Amazon app
- Launch “scareware” to scare the user into thinking that their device has a problem that the criminal can fix – for a price
- Install a virus or worm to open back doors the criminal can exploit for monetary or personal gain
Targeting Specific Demographics
By itself, a malicious ebook can be a very dangerous threat vector, considering the popularity of virtual books, libraries, and e-reader devices like Kindle. However, CPR researchers were particularly alarmed that security flaws in the Kindle allow malicious actors to target specific victims by region, country, language, or other demographics. By doing this, they can easily gain access to their targeted victims and cause serious damage.
In cybercrime and cyber espionage, this degree of specificity in offensive attack capabilities is already a big concern. With these findings, these concerns have exploded and convinced security professionals that e-reader vulnerabilities and malicious ebooks should now be considered serious cyber threats.
The Way Forward
As a device designed for personal pleasure, it’s difficult to reconcile the Kindle as a suitable medium of harm and chaos. Like many other Internet of Things (IoT) devices, the Kindle is considered innocuous, and therefore not viewed from a cybersecurity risk perspective. CPR’s research shows that such thinking is not only erroneous but also very dangerous.
A malicious ebook attack is easy to execute and has a high potential for success. Moreover, Kindles are very ubiquitous. For these reasons, Amazon must proactively scrutinize the security of these devices, and quickly address exploitable vulnerabilities. This is the only way to protect users and maintain Kindle’s reputation and profitability.