Amazon has fixed security flaws in Amazon Kindle, the world’s most popular e-reader, Check Point Research (CPR) said.
Hackers could have leveraged the flaws to target specific demographics and take full control of a Kindle device, opening a path to stealing information stored — by tricking victims into opening a malicious e-book.
# Victims would need to open a single malicious e-book to trigger the exploitation
# The security flaws could allow targeting of specific demographics
# CPR disclosed its findings to Amazon, who went on to deploy a fix
# Amazon is estimated to have sold tens of millions of Kindles since 2007 debut
CPR said it will demonstrate the exploitation at this year’s DEF CON conference in Las Vegas.
The exploitation involves sending a malicious e-book to a victim. Once the e-book is delivered, the victim needs to open it to start the exploit chain. No other indication or interactions are required on behalf of the victim to execute the exploitation.
CPR disclosed its findings to Amazon in February 2021. Amazon deployed a fix in the 5.13.5 version of Kindle’s firmware update in April 2021. The patched firmware installs automatically on devices connected to the Internet.
“By sending Kindle users a single malicious e-book, a threat actor could have stolen any information stored on the device, from Amazon account credentials to billing information. Everyone should be aware of the cyber risks in using anything connected to the computer, especially something as ubiquitous as Amazon’s Kindle,” Yaniv Balmas, Head of Cyber Research at Check Point Software, said.