Amazon Kindle exploit allowed hackers to steal your info — even e-readers aren't safe

Amazon Kindle (Image credit: Amazon)

Amazon Kindle, the most widely owned e-reader in the U.S., had critical security flaws that alarmed cybersecurity investigators at Check Point Research (CPR). If exploited, cybercriminals could gain unauthorized access to users' e-readers and wreak havoc on the popular device.

Fortunately, the CPR investigators disclosed their findings to Amazon in February of this year. Two months later, the big-box retailer rolled a firmware update to patch the Kindle's concerning vulnerabilities.

Hackers could have used Amazon Kindle exploit to steal credentials

CPR researchers discovered a security flaw in Amazon Kindle that, if exploited, gave cybercriminals a pathway into stealing users' sensitive information. To take advantage of this vulnerability, the hacker would need to successfully bait a Kindle user into downloading a malicious e-book.

"By sending Kindle users a single malicious e-book, a threat actor could have stolen any information stored on the device, from Amazon account credentials to billing information," Yaniv Balmas, head of Cyber Research at Check Point Software, said.

All the victim would need to do is open the e-book, which could spur a series of nasty events. According to the CPR report, a hacker could delete the user's e-books, steal the Amazon device token, launch an attack on other devices within the user's local network. Hell, the cybercriminal could even transform the Kindle into a "malicious bot."

What's interesting about this particular exploit is that hackers can also use it to attack specific demographics.

"To use a random example, if a threat actor wanted to target Romanian citizens, all they would need to do is publish some free and popular e-book in the Romanian language," Balmas said.

Security holes that allow malicious actors to employ targeted attacks are highly sought after, Balmas added, especially in the cyber-espionage world. Thankfully, as mentioned, Amazon already rolled out a fix for the exploit in April.

CPR's report reminds us that even e-readers are susceptible to cybercrime. We may focus on securing our phones and laptops, but we shouldn't forget our Kindles either.

"Kindle, like other IoT devices, are often thought of as innocuous and disregarded as security risks. But our research demonstrates that any electronic device, at the end of the day, is some form of computer. And as such, these IoT devices are vulnerable to the same attacks as computers," Balmas said.

CPR is poised to discuss its findings in Las Vegas at DEF CON 2021, one of the world's largest conventions for hackers.

Kimberly Gedeon, holding a Master's degree in International Journalism, launched her career as a journalist for MadameNoire's business beat in 2013. She loved translating stuffy stories about the economy, personal finance and investing into digestible, easy-to-understand, entertaining stories for young women of color. During her time on the business beat, she discovered her passion for tech as she dove into articles about tech entrepreneurship, the Consumer Electronics Show (CES) and the latest tablets. After eight years of freelancing, dabbling in a myriad of beats, she's finally found a home at Laptop Mag that accepts her as the crypto-addicted, virtual reality-loving, investing-focused, tech-fascinated nerd she is. Woot!