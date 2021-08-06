



Amazon Kindles and Amazon accounts can be hacked with just one ebook open, according to a study released Friday as part of the DEFCON security conference in Las Vegas this week.

A proof-of-concept attack developed by researchers at Israel-based cybersecurity firm Check Point shows that when a malicious book is opened, a remote hacker deletes all the books on the device and uses them to access Amazon accounts. There is a possibility of stealing the authentication token that is used. Check Point Cyber ​​Research Director Yaniv Balmas said equipping these tokens would allow an attacker to access the victim’s Amazon account and do anything on his behalf. An attacker can also use the Kindle as a launch pad to attack other devices on the local WiFi network.

Balmas was able to create an evil ebook that took advantage of a flaw in the Kindle operating system. This meant that when parsing an image from a book, it did not limit the amount of code that could be written to the device, called a heap overflow bug. The flaw allowed him to overwrite part of his memory. To take full control of the Amazon device, he discovered another flaw that allowed him to grant himself root user privileges.

However, Amazon has fixed this issue and users running the latest Kindle software should be safe from attacks. This issue was reported to Amazon in February 2021 and was fixed in April with the 5.13.5 version of the Kindle firmware. The patched software will be automatically installed on devices connected to the Internet. Amazon wasn’t responding to comment requests at the time of publication.

However, the study raises questions about how much Kindle users can trust vanity-pressed books on the Amazon Marketplace or ebooks downloaded from any platform. It’s also the first example of a hack that uses a malicious book to give you complete remote control of your Kindle.

Our research shows that, after all, every electronic device is some form of computer. As a result, these IoT devices are vulnerable to the same attacks as computers. Everyone needs to be aware of the cyber risks of using computer-connected, especially ubiquitous ones like the Amazon Kindle, in a report sent to Forbes prior to Friday’s publication. ..

Balmas was concerned about being able to set up ebook-based attacks to attack certain types of users. For example, if an attacker wants to chase someone interested in a particular subject, such as LGBTQ literature or human rights, a hacker can publish a free book disguised as a popular title containing malicious code. In the Balmas example, an attacker could publish a Romanian book and target only Romanian readers. He added that that degree of peculiarity in aggressive aggression is highly sought after in the world of cybercrime and cyber espionage. For malicious people, these aggressive abilities can cause serious damage, which has caused great concern to us.

A similar problem was discovered in January by researchers, such as Balmas, who chained exploits to execute malicious code on the Kindle. Together, they show that there are many ways to use evil ebooks with potentially very popular ebook readers to gain access to users’ Amazon accounts.

