Vulnerability found in Kindle e-reader

A team of researchers at security firm Check Point Research has discovered a vulnerability in Kindle e-readers—one that could allow hackers to take over the device, delete data and potentially gain access to Amazon account information. The group has posted an extensive review of the work they have done to discover vulnerabilities in the e-reader on their web page, describing what they found and divulging what Amazon has done to correct the problem.

E-readers are portable electronic devices that allow users to read downloaded text—such devices can be used to read PDF files or books formatted specifically for e-readers. They are typically very thin and light, with screens designed to make text look very similar to printed pages. Amazon began working on an e-reader back in 2004 and began selling its first Kindle in 2007. Since that time the company has produced a very popular series of Kindle devices. In this new effort, the researchers found that the latest version of the Kindle e-reader has a vulnerability that makes it possible for hackers to break into the device by attaching code to an e-book they had created.

The vulnerability was found in the firmware and was determined to be related to a heap overflow in the part of the firmware code related to rendering PDF files, along with a flaw in the code related to escalating local privileges on the device. A hacker, it was found, could attach code to a book they had written and then send it to an unsuspecting victim. Upon opening the e-book, code would launch that would give the hacker unlimited access to the device. Such access, the researchers note, could involve not only stealing e-books, but preventing the user from accessing them, or deleting those that had been downloaded. It could also have allowed the hacker to access the user's Amazon account information.

The team at Check Point notified Amazon of the vulnerability they had found this past February and Amazon responded by issuing a patch this past May—thus, the vulnerability does not currently pose a threat to Kindle owners; though it does remind them that any device that connects to the Internet holds the potential for breaches by hackers.