#DEFCON: A bad eBook can take over your Kindle (or worse)
The Amazon Kindle e-reader is a popular device that has been on the market since 2007, with around 100 million Kindle in use around the world.
The primary purpose of Kindle is to enable users to read books. Slava Makkaveev, security researcher at Check Point Software Technologies, had another idea, however; he wanted to see if he could load a book that would exploit the Kindle. At the DEF CON 29 talk, Makkaveev described the process by which he was able to exploit a Kindle with a malicious eBook he was able to create.
âPersonally, I use Kindle a lot, but I’ve never heard of a malicious eBook,â Makkaveev said. “This was the reason I researched how to create such a book that could be used to gain remote root access and take full control of a Kindle device.”
Makkaveev noted that users typically connect their Kindle devices to a Wi-Fi network. While Wi-Fi could potentially have been used as an entry point to attack the Kindle, in his view, the use of a book electronics to reach the device is much easier and will also allow mass attacks.
Kindle users can get books in a number of ways, including direct through Amazon, transferred via USB, or via email. There are also free online libraries open, where it is easy for anyone to upload and download eBooks.
âAn attacker can easily download a malicious book for free access because no one expects malware to target the Kindle,â Makkaveev said. “Most libraries only care about the accuracy of the metadata in the downloaded book, so when you download an eBook from an online library, you can never be sure of its content.”
Inside the Kindle
Makkaveev explained that the Kindle operating system is essentially the Linux kernel
with a set of native programs, mainly provided by the open source BusyBox framework.
The way that many eBooks are read by the Kindle operating system is in the form of PDF file. There are a lot of different things that can be incorporated into a PDF file, so Makkaveev has focused his research on learning how the Kindle actually analyzes data to show it to users. During his research, he discovered a pair of vulnerabilities.
The first vulnerability is identified as CVE-2021-30354 and is an integer overflow in Kindle’s JBIG2 decoding algorithm for rendering words from a PDF file. The overflow could allow an attacker to potentially overwrite specific bits of memory on a Kindle device.
âNow we have a remote code execution vulnerability in the context of the PDF reading process,â Makkaveev said.
With the first vulnerability, it is possible to access special internal files on a Kindle, but an attacker would still be somewhat limited. What Makkaveev wanted was to be able to gain remote root access on a Kindle, without any restrictions. This is where the second vulnerability comes in, providing a local privilege escalation exploit identified as CVE-2021-30355.
In a brief demo, Makkaveev showed how the entire attack worked, where he was able to load a malicious eBook onto a Kindle and then take control of the device remotely. Once users click on the book, the malicious payload hidden in the book connects to a remote server, providing the reverse shell that locks the user’s screen with a window.
âAs you can see, we get root permissions, so we can do whatever we want,â he said.
An attacker could potentially steal a victim’s Amazon account, delete books, convert the Kindle into a bot to attack other devices, or simply brick the device, rendering it useless.
Makkaveev concluded his presentation by noting that he reported the issues to Amazon in February 2021 and that they have now been resolved.