Kindle Flaw Could Have Let Hackers Take Control of Your Ebook Reader and Steal Information

Kindle Flaw Could Have Let Hackers Take Control of Your Ebook Reader and Steal Information
Photo: Sam Rutherford/Gizmodo

All connected gadgets are technically vulnerable to bad actors, but Amazon’s Kindle e-readers aren’t exactly the first device that’d pop into your head when you think of a security risk. However, researchers have found that Kindles had flaws that could’ve allowed hackers to seize control of the device — and all it would’ve require is malware masquerading as an ebook.

The flaws were discovered and disclosed by Check Point Research, a well-known security firm. The vulnerabilities were found in how the device parses ebooks, and if exploited, could enable hackers to not only control a user’s Kindle but also steal sensitive information, such as your Amazon account credentials or billing information. Attackers could also delete your entire library, or convert your Kindle into a bot that runs attacks on other devices on your local network. The only thing a potential victim would have to do is download and open an ebook containing malware.

You might think that would be unlikely, but self-published authors upload their own ebooks onto Amazon’s official Kindle Store all the time. Anyone who frequently uses an e-reader will tell you there are several ways to load non-Amazon content onto a Kindle. As for why you’d want to sidestep Amazon’s store, it’s as simple as wanting to read a title that’s not yet formatted natively for a Kindle. Or perhaps you want to sideload a title that hasn’t been translated by official sources into your language just yet. And as CPR points out, nobody expects to download a malicious ebook.

“In this case, what alarmed us the most was the degree of victim specificity that the exploitation could have occurred in. Naturally, the security vulnerabilities allow an attacker to target a very specific audience,” Yaniv Balmas, head of cyber research at Check Point Software, said in a statement. Balmas explained that bad actors could easily target speakers of a particular language. All they would have to do to target, say, Romanians, is publish a popular book in an ebook format in that language. Because most people downloading that book would likely speak Romanian, a hacker could be confident nearly all victims would be Romanian.

“That degree of specificity in offensive attack capabilities is very sought after in the cybercrime and cyber-espionage world. In the wrong hands, those offensive capabilities could do some serious damage, which concerned us immensely,” Balmas said.

Thankfully, it doesn’t appear that this exploit has been used in the wild. CPR says it disclosed the vulnerabilities to Amazon in February 2021, and a patch was pushed through in the 5.13.5 Kindle firmware update in April. So long as your Kindle has had internet access since then, you should be running the latest software.

“Our research demonstrates that any electronic device, at the end of the day, is some form of computer,” Balmas said. “And as such, these IoT devices are vulnerable to the same attacks as computers. Everyone should be aware of the cyber risks in using anything connected to the computer, especially something as ubiquitous as Amazon’s Kindle.”