Colin Mc Hugo

0 %
Colin Mc Hugo
Security Engineer Manager & CEO at Quantum Infinite Solutions Group Ltd.
  • Residence:
  • County:
  • Country:
Cyber Security Incident Response
Management & Architecture of Cyber Security Teams
Solutions & Coaching
  • Cyber Security Incident Response
  • Management & Architecture of Cyber Security Teams
  • Solutions
  • Training & Coaching

New Amazon Kindle Bug Could’ve Let Attackers Hijack Your eBook Reader

August 6, 2021

Amazon earlier this April addressed a essential vulnerability in its Kindle e-book reader platform that might have been probably exploited to take full management over a consumer’s machine, ensuing within the theft of delicate info by simply deploying a malicious e-book.

“By sending Kindle customers a single malicious e-book, a menace actor might have stolen any info saved on the machine, from Amazon account credentials to billing info,” Yaniv Balmas, head of cyber analysis at Verify Level, stated in an emailed assertion. “The safety vulnerabilities enable an attacker to focus on a really particular viewers.”

Stack Overflow Teams

In different phrases, if a menace actor needed to single out a selected group of individuals or demographic, it is attainable for the adversary to decide on a preferred e-book in a language or dialect that is broadly spoken among the many group to tailor and orchestrate a extremely focused cyber assault.

Upon responsibly disclosing the difficulty to Amazon in February 2021, the retail and leisure large revealed a repair as a part of its 5.13.5 version of Kindle firmware in April 2021.

Assaults exploiting the flaw begin by sending a malicious e-book to an meant sufferer, who, upon opening the e-book, triggers the an infection sequence sans any interplay, permitting the unhealthy actor to delete the consumer’s library, acquire full entry to the Amazon account, or convert the Kindle right into a bot for placing different units within the goal’s native community.

Heap overflow vulnerability within the JBIG2Globals decoding algorithm

The issue resides within the firmware’s e-book parsing framework, particularly within the implementation related to how PDF paperwork are opened, allowing an attacker to execute a malicious payload on the machine.

That is made attainable, because of a heap overflow vulnerability within the PDF rendering perform (CVE-2021-30354), which could be leveraged to achieve arbitrary write primitive, and a neighborhood privilege escalation flaw within the Kindle software supervisor service (CVE-2021-30355) that permits the menace actor to chain the 2 flaws to run malware-laced code as a root consumer.

Prevent Ransomware Attacks

Earlier this January, Amazon mounted comparable weaknesses — collectively named “KindleDrip” — that might have allowed an attacker to take management of victims’ units by delivering a malicious e-book to the targets and make unauthorized purchases.

“Kindle, like different IoT units, are sometimes regarded as innocuous and disregarded as safety dangers,” Balmas stated. “These IoT units are weak to the identical assaults as computer systems. Everybody ought to pay attention to the cyber dangers in utilizing something linked to the pc, particularly one thing as ubiquitous as Amazon’s Kindle.”

Posted in SecurityTags:
Write a comment