Amazon earlier this April addressed a crucial vulnerability in its Kindle e-book reader platform that would have been doubtlessly exploited to take full management over a person’s system, ensuing within the theft of delicate data by simply deploying a malicious book.
“By sending Kindle customers a single malicious e-book, a menace actor might have stolen any data saved on the system, from Amazon account credentials to billing data,” Yaniv Balmas, head of cyber analysis at Test Level, mentioned in an emailed assertion. “The safety vulnerabilities enable an attacker to focus on a really particular viewers.”
In different phrases, if a menace actor needed to single out a particular group of individuals or demographic, it is potential for the adversary to decide on a preferred e-book in a language or dialect that is extensively spoken among the many group to tailor and orchestrate a extremely focused cyber assault.
Upon responsiblythe difficulty to Amazon in February 2021, the retail and leisure large revealed a repair as a part of its of Kindle firmware in April 2021.
Assaults exploiting the flaw start by sending a malicious e-book to an supposed sufferer, who, upon opening the e book, triggers the an infection sequence sans any interplay, permitting the dangerous actor to delete the person’s library, achieve full entry to the Amazon account, or convert the Kindle right into a bot for putting different gadgets within the goal’s native community.
|Heap overflow vulnerability within the JBIG2Globals decoding algorithm|
The issue resides within the firmware’s e-book parsing framework, particularly within the implementation related to how PDF paperwork are opened, allowing an attacker to execute a malicious payload on the system.
That is made potential, because of a heap overflow vulnerability within the PDF rendering perform (CVE-2021-30354), which might be leveraged to realize arbitrary write primitive, and a neighborhood privilege escalation flaw within the Kindle utility supervisor service (CVE-2021-30355) that allows the menace actor to chain the 2 flaws to run malware-laced code as a root person.
Earlier this January, Amazon mounted related weaknesses — collectively named “” — that would have allowed an attacker to take management of victims’ gadgets by delivering a malicious e-book to the targets and make unauthorized purchases.
“Kindle, like different IoT gadgets, are sometimes regarded as innocuous and disregarded as safety dangers,” Balmas mentioned. “These IoT gadgets are weak to the identical assaults as computer systems. Everybody ought to pay attention to the cyber dangers in utilizing something related to the pc, particularly one thing as ubiquitous as Amazon’s Kindle.”