Kindle Hack Exposes Amazon Account Risks for Ebook Readers

A recent security breach has highlighted significant vulnerabilities facing Kindle users who download ebooks from unofficial sources. An engineering analyst at Thales in France, Valentino Ricotta, demonstrated how a malicious ebook could grant attackers full access to an Amazon account linked to a Kindle device. The findings were presented at the Black Hat Europe hacker conference in London, detailing step-by-step how session cookies and account credentials could be compromised.

The Kindle, long regarded as a secure, everyday device, possesses persistent internet connectivity and is able to process purchases with a single click using the owner’s stored credit card information. Ricotta discovered critical flaws in the software responsible for scanning and extracting audiobook data, noting that the vulnerabilities exist even though the e-reader itself cannot play audio files. He also revealed a separate issue within the device’s onscreen keyboard; together, these weaknesses allowed him to introduce malicious code, granting access to sensitive user data.

His research indicates that users place themselves at risk when they sideload ebooks via USB from non-Amazon sources. Many consumers were found to acquire multiple files from third-party websites and transfer them directly to their devices, either unware of, or unconcerned by, the potential security implications.

Ricotta’s disclosure prompted Amazon to respond swiftly, classifying the flaws as critical and addressing them through security updates. In recognition of his work, the company awarded Ricotta a $20000 bug bounty, which Thales subsequently donated to charity. The incident is the latest in a series of attacks targeting Kindle firmware, with similar breaches documented in 2021 by independent research teams.

Academics in the cybersecurity field, including Professor Alan Woodward of Surrey University and Professor George Loukas of Greenwich University, commented on the significance of these findings. Both agree that unattended and overlooked smart devices can serve as covert access points for cybercriminals, especially when software vulnerabilities go undetected. The scale of audiobook consumption and the intrinsic value of unfettered access to Amazon accounts underscore the need for robust device security and prudent user behaviour.