Amazon Kindle, the most widely owned e-reader in the U.S., had critical security flaws that alarmed cybersecurity investigators at Check Point Research (CPR). If exploited, cybercriminals could gain unauthorized access to users' e-readers and wreak havoc on the popular device.
Fortunately, the CPR investigators disclosed their findings to Amazon in February of this year. Two months later, the big-box retailer rolled a firmware update to patch the Kindle's concerning vulnerabilities.
Hackers could have used Amazon Kindle exploit to steal users' credentials
CPR researchers discovered a security flaw in Amazon Kindle that, if exploited, gave cybercriminals a pathway into stealing users' sensitive information. To take advantage of this vulnerability, the hacker would need to successfully bait a Kindle user into downloading a malicious e-book.
"By sending Kindle users a single malicious e-book, a threat actor could have stolen any information stored on the device, from Amazon account credentials to billing information," Yaniv Balmas, head of Cyber Research at Check Point Software, said.
All the victim would need to do is open the e-book, which could spur a series of unfortunate events. According to the CPR report, a hacker could delete the user's e-books, steal the Amazon device token, launch an attack on other devices within the user's local network. Hell, the cybercriminal could even transform the Kindle into a "malicious bot."
What's interesting about this particular exploit is that hackers can also use it to attack specific demographics.
"To use a random example, if a threat actor wanted to target Romanian citizens, all they would need to do is publish some free and popular e-book in the Romanian language," Balmas said.
Security holes that allow malicious actors to employ targeted attacks are highly sought after, Balmas added, especially in the cyber espionage world. Thankfully, as mentioned, Amazon already rolled out a fix for the exploit in April.
CPR's report reminds us that even e-readers are susceptible to cybercrime. We may focus on securing our phones and laptops, but we shouldn't forget our Kindles either.
"Kindle, like other IoT devices, are often thought of as innocuous and disregarded as security risks. But our research demonstrates that any electronic device, at the end of the day, is some form of computer. And as such, these IoT devices are vulnerable to the same attacks as computers," Balmas said.
CPR is poised to discuss their findings in Las Vegas at DEF CON 2021, one of the world's largest conventions for hackers.