Now patched by Amazon, security vulnerabilities found by Check Point would have given attackers access to a Kindle device and its stored data.
Amazon Kindle owners could have exposed themselves to a remote control attack simply by opening the wrong e-book. In a report published on Friday, cybersecurity provider Check Point said that it discovered security holes in the Kindle that would have helped a cybercriminal take full control of the device, potentially leading to the theft of sensitive information including the Amazon device token, a unique key used to route messages and other notifications.
SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)
In February 2021, Check Point alerted Amazon to its findings, prompting the company to roll out a fix in version 5.13.5 version of the Kindle's firmware update in April 2021. The update automatically is installed on Kindle devices when connected to the internet. To check the firmware version on your Kindle, go to Settings, select Menu, and then tap Device Info.
Before Amazon patched the security flaws, a Kindle user could have unknowingly triggered the exploit just by opening a malicious e-book sent by the attacker, Check Point said. No other action would have been required. With the vulnerabilities exploited, an attacker could have gained remote control to delete a user's e-books and even turn the Kindle into a malicious bot to attack other devices on the user's network.
By using a malicious e-book, the attacker also could have targeted a specific audience. In one example cited by Yaniv Balmas, head of cyber research at Check Point Software, a cybercriminal who wanted to target Romanian citizens would simply need to publish some free and popular e-books written in Romanian. The attacker would then be fairly certain that the potential victims would all be Romanian, a type of knowledge that would help them launch further malicious campaigns against these users.
"Kindle, like other IoT devices, are often thought of as innocuous and disregarded as security risks," Balmas said. "But our research demonstrates that any electronic device, at the end of the day, is some form of computer. And as such, these IoT devices are vulnerable to the same attacks as computers. Everyone should be aware of the cyber risks in using anything connected to the computer, especially something as ubiquitous as Amazon's Kindle."
Cybersecurity Insider Newsletter
Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays
Sign up todayAlso see
- How to become a cybersecurity pro: A cheat sheet (TechRepublic)
- How to defend your organization against social engineering attacks (TechRepublic)
- How an IBM social engineer hacked two CBS reporters--and then revealed the tricks behind her phishing and spoofing attacks (free PDF) (TechRepublic)
- Shadow IT policy (TechRepublic Premium)
- Online security 101: Tips for protecting your privacy from hackers and spies (ZDNet)
- Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)