Researchers at the security company Check Point Software Technologies have discovered a security flaw with which attackers could have taken over the Kindle e-book reader with infected e-books. Amazon has now fixed the error in a firmware update, report the security experts.
Attackers could have offered a malware-infected book in the Kindle Store. Pressing it would have activated the malicious command lines with root access that crack the Kindle device and lock the user’s screen. Subsequently, hackers would have had full access to the device. The security experts demonstrate the procedure in a video.
Protection through two-factor authentication
The malware smuggled in via the book was also able to read the Amazon password. Accounts for which two-factor authentication is not activated could have been taken over in this way. The researchers point out that certain target groups can be targeted relatively easily with this attack: the victims determine the language and content of the contaminated reading material, for example based on origin or age. “This level of specificity in attacks is very popular in the world of cyber crime and cyber espionage. In the wrong hands, these skills could cause serious damage,” said security researcher Yaniv Balmas of Check Point.
According to Amazon, Check Point informed Amazon about the vulnerability in February. The online giant finally closed them in software update 5.13.5, which was released for Kindle devices in April 2021. This update is automatically played on Amazon’s e-book reader when there is an internet connection. There are no indications that the vulnerability was actively exploited.
CheckPoint’s security researchers describe their approach in a blog entry. They first looked at the partially public code of the Kindle reader to see what happens when a book is opened. Among the file formats that a Kindle can display, PDF seemed to them to be the most promising gateway, because the format has the most functions and errors are found time and again in PDF libraries. In the library libfpdfemb.so they came across filters and codecs for various image compression methods and searched their implementations for possible errors in memory management.
They found what they were looking for in the decoder for the JBIG2 process: If the size specifications of an image were manipulated in a targeted manner, the program reserved more memory than intended and wrote in other memory areas. Because the memory areas were not randomized, the researchers were able to specifically take over the process with their own code using a manipulated image and had the first foot in the door on the Kindle – but still without root rights. They registered the error in the JBIG decoder as CVE-2021-30354.
The second part of the task was to give the injected code full rights. For the researchers, looking at the code was no longer enough. They used an already existing jailbreak, for which pins of the serial port have to be soldered onto the board. This enabled them to follow what the processes were doing in the company. The rights management was amazingly easy to manipulate by editing a SQLite database. The code that came to the device via the manipulated image in a PDF was able to provide itself with root rights and could have caused any damage to the reader from this point on.
Self-publishing in five minutes
“By subjugating Kindle users with a malicious e-book, an attacker could have stolen all the information stored on the device, from the registration of the Amazon account to billing data,” said security researcher Yaniv Balmas of Check Point, commenting on the possibilities of the attack pattern.
The hurdles to uploading a book to the Kindle Store are extremely low: an Amazon account is sufficient. In principle, there are no fees, instead Amazon charges commissions for books purchased. Publishing an e-book takes less than five minutes, informs Amazon on its website. The book will then appear in online stores around the world within just 24 to 48 hours.