Amazon Kindle Hack Needs Just One Evil Ebook To Take Over Your Ereader—And Maybe Your Amazon Account Too
Your Amazon Kindle and your Amazon account could be hacked by just opening a single ebook, according to research published Friday as part of the DEF CON security conference taking place in Las Vegas this week.
Once the malicious book is opened, a remote hacker could delete all books on the device and could steal the authentication token used to get into an Amazon account, according to the proof of concept attack developed by researchers at Israel-based cybersecurity company Check Point. “Equipped with these tokens the attacker would now be able to access the victims Amazon account and perform anything on his behalf,” said Yaniv Balmas, head of cyber research at Check Point. An attacker could have also used the Kindle as a launchpad for attacking other devices on a local WiFi network.
Balmas was able to create a evil ebook that took advantage of a flaw in the Kindle operating system that meant when parsing images from the book it wasn’t limiting the amount of code that could be written to the device, known as a heap overflow bug. That flaw allowed him to overwrite parts of memory. To get complete control of the Amazon device, he discovered another flaw that allowed him to grant himself root user rights.
Amazon, however, has fixed the issue and users who are running the latest Kindle software should be safe from attacks. The issues were reported to Amazon in February 2021 and fixed in the 5.13.5 version of Kindle’s firmware in April, the patched software installed automatically on internet-connected devices. Amazon hadn’t responded to a request for comment at the time of publication.
But the research brings to light questions about how much a Kindle user can trust books self-published on Amazon’s marketplace, or ebooks downloaded from any platform. It’s also the first example of a hack getting complete remote control over a Kindle with a malicious book.
“Our research demonstrates that any electronic device, at the end of the day, is some form of…