It was only a matter of time before any smart connected device with a huge user base would harbor vulnerabilities.

Did you ever think that e-books could harbor malware? Amazon Kindle did not get this far by exposing users to cyber risks, right?

It took some time, but the world’s most popular e-reader has security flaws, and hackers could have already taken advantage of them.

Check Point Research has found vulnerabilities in the device that would have enabled a threat actor to take full control, resulting in the possible theft of their Amazon device token, or other sensitive information stored in memory.

E-books as malware

The exploitation is triggered by deploying a single malicious e-book on a Kindle device. Once a rigged e-book is received and opened up by the recipient, no other indication or interactions are required on behalf of the victim to execute the exploitation.

Once a device is compromised, an attacker can delete a user’s other e-books, or convert the Kindle into a malicious bot to attack other devices in the user’s local network.

Since the content of e-books caters to specific target audiences, cybercriminals can use malicious e-books to target that demographic. For example, if stock investors of a particular country are the group to be targeted, attackers could easily select a popular e-book in the correlating language or dialect to orchestrate a highly targeted cyberattack.

In the wrong hands, those offensive capabilities could do some serious damage.

Coordinated disclosure

Check Point researchers subsequently disclosed their findings to Amazon in February 2021, which led to the release of a patch in the 5.13.5 version of Kindle’s firmware update in April 2021. The patched firmware installs automatically on devices connected to the Internet.

The firm’s Head of Cyber Research, Yaniv Balmas, said: “We found vulnerabilities in Kindle that would have allowed an attacker to take full control of the device. By sending Kindle users a single malicious e-book, a threat actor could have stolen any information stored on the device, from Amazon account credentials to billing information. Kindle, like other IoT devices, are often thought of as innocuous and disregarded as security risks. But our research demonstrates that any electronic device, at the end of the day, is some form of computer. And as such, these IoT devices are vulnerable to the same attacks as computers. Everyone should be aware of the cyber risks in using any (computing device) connected to the (internet), especially something as ubiquitous as Amazon’s Kindle.”