Malicious e-Books Can Result in Amazon Kindle Take-Overs

  • A malicious PDF e-book could result in the full take-over of Amazon Kindle devices.
  • Researchers found a way to chain a heap overflow with an RCE to run malicious code as root.
  • Updating the Kindle’s firmware to the latest available version addresses both flaws.

Amazon Kindle is the most popular e-book reader device out there, so it’s no wonder why some hackers like to experiment with exploits targeting them every now and then. Typically, users of Kindle download e-books and nothing else, so if you’re to pass malware on a device of this kind, you’ll have to lace an e-book file. According to a report published today by Checkpoint, this is totally possible and in fact, could result in a full takeover of the device.

Kindles run on a Linux-based OS developed by Amazon specifically for the device, using Java for the UI and JRE for the high-level services. Checkpoint looked at this as a possibility and attempted to fuzz the OS’s e-book parsing framework to potentially discover an exploitable flaw. What they found was PDF files held the most promising potential due to the way their media contents are reconstructed, possibly allowing a heap overflow vulnerability in one of the decoding algorithms used.

The two flaws that the Checkpoint team discovered are CVE-2021-30354 and CVE-2021-30355. The first one is a heap overflow carried out thanks to the fact that there’s no randomization for the data segment and the heap in Kindle devices. The second flaw is an RCE vulnerability in the context of the 'pdfreader' process, which means running code on the target is a matter of opening a malicious PDF file. Because the 'pdfreader' process has framework user rights, any payloads coming through it have limited device access.

Source: Checkpoint

By digging deeper, the researchers found that the framework can request the application manager service to start any built-in app. Since that service is run as root, the access limits are lifted, and the payload can do more significant damage. This is a bigger risk for jailbroken devices, which is an alarmingly popular activity among Kindle owners these days.

Amazon released a firmware update that addresses the two flaws described above in April 2021, so all users are now urged to upgrade to version 5.13.5 and above. The fix came roughly three months after Checkpoint reported the issues to the tech giant. If you’re unsure about how you can update your Kindle device, go ahead and follow this step-by-step guide by Amazon.

How to Watch Joe Pickett Season 2 Online: Stream the Western Crime Drama from Anywhere
Joe Pickett, the series based on characters created by novelist C.J. Box, has a second season coming, and below are all the...
How to Watch Gods of Tennis Online Free: Stream the Tennis Docuseries from Anywhere
Gods of Tennis is a new documentary series on “the golden age of tennis” in the 1970s and 1980s, and we have...
How to Watch Danger Below Deck Online from Anywhere
Are you a die-hard fan of crime dramas? Do you love heart-pounding suspense, gripping tension, and a captivating plot that leaves you...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari