Hackers take full control of the device once the users open the malicious e-book

A critical security vulnerability in Amazon’s Kindle exposed the e-book reader platform to malicious software, which allows hackers to take control of the device and steal personal data.

Malicious software enters Amazon’s devices in the form of an e-book. All users have to do is open the malicious e-book to allow hackers to take over their device and hack their account. Then the hackers implant a bug, called KindleDrip, into the Kindle e-book reader, which allows them to control the device and steal bank account details or even make purchases on the users’ behalf. This critical security vulnerability also empowers hackers with the ability to steal all the personal information stored and take full control of the devices, without the users even noticed.

The security flaws were detected by Check Point Research, an Israeli firm specializing in cybersecurity. Yaniv Balmas, head of cyber research at Check Point Research pointed out in an emailed statement that “the security vulnerabilities allow an attacker to target a very specific audience”. As he said, “by sending Kindle users a single malicious e-book, a threat actor could have stolen any information stored on the device, from Amazon account credentials to billing information”. The Israeli company developed a malicious e-book to expose Kindle’s vulnerability and once the victim opens it, the hackers gain access to the user’s account, cookies, and device’s private passwords.

According to Check Point researcher Slava Makkaeveev, “a malicious book can be published and made available for the free access in any virtual library, including the Kindle Store, via the “self-publishing” service, or sent directly to the end-user device via the Amazon “send to kindle” service”. The researcher also emphasized that “anti-viruses do not have signatures for e-books. We succeeded in making a malicious book. If you were to open this book on a Kindle device, it could have caused a hidden piece of code to be executed with root rights. From this moment on, you can assume that you have lost control of your e-reader”.

Amazon’s security hole provoke serious concerns as many cybersecurity experts highlighted how easy is for a hacker to take over an e-book reader and steal personal data. The malicious software can be obtained in any digital library and can even come as a gift, which makes the Amazon Kindle particularly vulnerable to hacker attacks. Also, the hacker can target a specific audience by the mean that they can develop an e-book on social media security in Spanish and attract potential Spanish victims willing to learn on this specific topic. Then, the hackers gain access to very specific personal data originating from a targeted audience group, based on the victim’s language or location for instance.

Amazon’s response

Amazon Kindle vulnerabilities to malicious software are not something new. Back in February, Check Point Research warn Amazon of this type of security hole and ask from the firm to take action to expand its cybersecurity and protect users’ data. Amazon issued a patch, which was automatically installed on internet-connected e-book devices in April, to fix the security problem.

The 5.13.5 version of Kindle’s firmware is now safe against any similar hacker attack. Although, the recent security gap raises several questions about how much a Kindle user should trust an e-book self-published on Amazon’s marketplace or even books downloaded from any other virtual platform. “Amazon was cooperative throughout our coordinated disclosure process, and we’re glad they deployed a patch for these security issues,” the Check Point Research team noted.