#DEFCON: A Bad eBook Can Take Over Your Kindle (or Worse)
Amazon’s Kindle e-reader is a popular device that has been on the market since 2007, with approximately 100 million Kindles in use around the world today.
The primary purpose of the Kindle is to enable users to read books. Slava Makkaveev, security researcher at Check Point Software Technologies, had another idea, though; he wanted to see if he could load a book that would exploit the Kindle. At the DEF CON 29 conference, Makkaveev outlined the process by which he was able to exploit a Kindle with a malicious eBook that he was able to create.
“Personally, I use Kindle a lot, but I’ve never heard about a malicious eBook,” Makkaveev said. “That was the reason for me to research how to create such a book that could be used to gain root access remotely and take full control of a Kindle device.”
Makkaveev noted that typically users connect their Kindle devices to a Wi-Fi network. While Wi-Fi could have potentially been used as an entry point to attack the Kindle, in his view using an eBook to reach the device is much easier and will also enable mass attacks.
There are multiple ways that Kindle users can get books, including directly via Amazon, transferred via USB, or via an email. There are also free online libraries that are open, where it’s easy for anyone to upload and download eBooks.
“An attacker can easily upload a malicious book for free access, because no one expects to see malware targeting the Kindle,” Makkaveev said. “Most libraries only care about the correctness of the metadata in the uploaded the book, so when downloading an eBook from an online library you can never be sure of its content.”
Inside the Kindle
Makkaveev explained that basically the Kindle operating system is the Linux kernel
with a set of native programs, mainly provided by the BusyBox open source framework.
The way that many eBooks are read by the Kindle operating system is as a PDF file. There are many different things that can be embedded within a PDF file, so Makkaveev focused his research on learning how the Kindle actually parses the data to show users. During his research he discovered a pair of vulnerabilities.
The first vulnerability is identified as CVE-2021-30354 and is an integer overflow in the Kindle’s JBIG2 decoding algorithm for rendering the words from a PDF file. The overflow could enable an attacker to potentially overwrite specific bits of memory on a Kindle device.
“Now we have remote code execution vulnerability in the context of the PDF reader process,” Makkaveev said.
With the first vulnerability it’s possible to access special internal files on a Kindle, but an attacker would still be somewhat limited. What Makkaveev wanted was to be able to gain remote root access on a Kindle, free of any restrictions. That’s where the second vulnerability comes in, providing a local privilege escalation exploit identified as CVE-2021-30355.
In a brief demo, Makkaveev showed how the whole attack works, where he was able to load a malicious eBook on a Kindle and then take over the device remotely. Once the users click on the book, the malicious payload hidden in the book connects to a remote server, providing the reverse shell that locks the user screen with a window.
“As you can see, we gain the root permissions, so we can do whatever we want,” he said.
An attacker could potentially steal a victim’s Amazon account, delete books, convert the Kindle into a bot to attack other devices, or simply just brick the device, rendering it useless.
Makkaveev concluded his presentation by noting that he reported the issues to Amazon in February 2021 and they have now been fixed.