Security

Malicious e-Books Can Result in Amazon Kindle Take-Overs

By Bill Toulas
Amazon Kindle eBook Reader
  • A malicious PDF e-book could result in the full take-over of Amazon Kindle devices.
  • Researchers found a way to chain a heap overflow with an RCE to run malicious code as root.
  • Updating the Kindle’s firmware to the latest available version addresses both flaws.

Amazon Kindle is the most popular e-book reader device out there, so it’s no wonder why some hackers like to experiment with exploits targeting them every now and then. Typically, users of Kindle download e-books and nothing else, so if you’re to pass malware on a device of this kind, you’ll have to lace an e-book file. According to a report published today by Checkpoint, this is totally possible and in fact, could result in a full takeover of the device.

Kindles run on a Linux-based OS developed by Amazon specifically for the device, using Java for the UI and JRE for the high-level services. Checkpoint looked at this as a possibility and attempted to fuzz the OS’s e-book parsing framework to potentially discover an exploitable flaw. What they found was PDF files held the most promising potential due to the way their media contents are reconstructed, possibly allowing a heap overflow vulnerability in one of the decoding algorithms used.

The two flaws that the Checkpoint team discovered are CVE-2021-30354 and CVE-2021-30355. The first one is a heap overflow carried out thanks to the fact that there’s no randomization for the data segment and the heap in Kindle devices. The second flaw is an RCE vulnerability in the context of the 'pdfreader' process, which means running code on the target is a matter of opening a malicious PDF file. Because the 'pdfreader' process has framework user rights, any payloads coming through it have limited device access.

Source: Checkpoint

By digging deeper, the researchers found that the framework can request the application manager service to start any built-in app. Since that service is run as root, the access limits are lifted, and the payload can do more significant damage. This is a bigger risk for jailbroken devices, which is an alarmingly popular activity among Kindle owners these days.

Amazon released a firmware update that addresses the two flaws described above in April 2021, so all users are now urged to upgrade to version 5.13.5 and above. The fix came roughly three months after Checkpoint reported the issues to the tech giant. If you’re unsure about how you can update your Kindle device, go ahead and follow this step-by-step guide by Amazon.

Add a Comment

Latest
Streaming
How to Watch Joe Pickett Season 2 Online: Stream the Western Crime Drama from Anywhere
Lore Apostol - 0
Joe Pickett, the series based on characters created by novelist C.J. Box, has a second season coming, and below are all the...
Read more
Streaming
How to Watch Gods of Tennis Online Free: Stream the Tennis Docuseries from Anywhere
Lore Apostol - 0
Gods of Tennis is a new documentary series on “the golden age of tennis” in the 1970s and 1980s, and we have...
Read more
Streaming
How to Watch Danger Below Deck Online from Anywhere
TechNadu Staff - 0
Are you a die-hard fan of crime dramas? Do you love heart-pounding suspense, gripping tension, and a captivating plot that leaves you...
Read more

© TechNadu 2023. All Rights Reserved.

Close lightbox
Facebook
Twitter
Linkedin
Reddit
Email
Copy Link
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari