Israeli cybersecurity firm Check Point said it had found a serious security flaw in Amazon software that left a door open for bad actors to take control of a victim’s device and steal sensitive information.
Security flaws in the Amazon Kindle, the company’s e-reader, would have allowed hackers to breach a user’s device by sending them a malicious e-book, Check Point said on Friday.
Check Point said it had disclosed the vulnerability to Amazon in February and the company had since closed the security gap in a firmware update in April. The firmware automatically installs to devices that are connected to the internet.
The Kindle is the world’s most popular e-reader, with tens of millions estimated sold since the device’s debut in 2007.
Prior to the firmware update, hackers could have tricked victims into opening a single malicious e-book to take full control of one of the devices.
Once the victim received the e-book and opened it, the hacker could have then proceeded with the attack via an exploit chain, meaning a way to combine a series of security vulnerabilities to take control of a device. The victim would not have to take any further action, or have any other indications, to fall prey to the attack.
After the hackers took control of the device, they could have accessed sensitive user information, such as Amazon account credentials or billing information. The Kindle could have also been deployed as a malicious bot to attack other devices in the user’s local network.
The security flaw was especially dangerous because it could have allowed bad actors to target a specific demographic, Check Point said. For example, if attackers wanted to attack a certain population group, they could have deployed a popular, malicious e-book in the group’s language or dialect.
“If a threat actor wanted to target Romanian citizens, all they would need to do is publish some free and popular e-book in the Romanian language. From there, the threat actor could be pretty certain that all of its victims would, indeed, be Romanian,” said Yaniv Balmas, head of cyber research at Check Point. “That degree of specificity in offensive attack capabilities is very sought after in the cybercrime and cyber espionage world.”
Kindles, and other internet of things (IoT) devices, are often disregarded as security risks, Balmas said in a statement.
“Our research demonstrates that any electronic device, at the end of the day, is some form of computer. And as such, these IoT devices are vulnerable to the same attacks as computers. Everyone should be aware of the cyber risks in using anything connected to the computer, especially something as ubiquitous as Amazon’s Kindle,” he said.
It was unclear if any hackers had exploited this particular vulnerability before it was addressed.
Check Point, a maker of cybersecurity firewalls, is one of Israel’s leading cybersecurity firms. It trades on the Nasdaq under the ticker CHKP at a market cap of $16.5 billion.
The company said last month that its revenue for the previous quarter was $526 million, beating expectations. It also reported a surge in ransomware attacks in the past year.
In June, Check Point said it had uncovered four vulnerabilities in the Microsoft Office software suite, including Excel and Office.