FireOS Flaw Allowed Limited Content Injection in Amazon Tablets

A vulnerability in FireOS, the Amazon Fire Tablet’s operating system, has been patched.

A vulnerability in the operating system of Amazon’s Fire Tablets could allow a hacker to inject malicious content into Settings, Legal and Compliance, Terms of Use and Privacy sections of the device. The bug could also allow an adversary to capture the serial number of the tablet.

The Fire Tablet (formerly known as the Kindle Fire) is Amazon’s budget slate that runs on Amazon’s FireOS operating system. Researchers with Nightwatch Cybersecurity on Thursday said that the FireOS operating system is open to a limited context man-in-the-middle attack, where an attacker could secretly relay and possibly alter communications to inject malicious content.

The issue was discovered in FireOS v5.3.6.3 in September and fixed by the vendor in v5.3.6.4, which was released in November 2018. Public disclosure of the vulnerability was Thursday Feb. 7.

The root cause of the vulnerability, CVE-2019-7399, is in the setting section of FireOS, which lacks HTTPS for some content, researchers said. “While monitoring network traffic on a test device, we observed that several calls from the settings section are done without HTTPS and can be injected with malicious content by an MitM attacker,” according to a post outlining the flaw.

kindle fireOS flaw

Exposed Traffic

Specifically, the lack of HTTPS support impacts HTML-based content identified as Settings, Legal and Compliance, Terms of Use and the Privacy sections, a Nightwatch Cybersecurity spokesperson told Threatpost.

These settings lack HTTPS, which encrypts data between the browser and website. That in turn leaves traffic and the serial number of the device wide open for remote attackers to observe and tamper with.

MitM attacks can be used not only to manipulate content, but have been used to inject malicious code into targeted devices or used to coax victims into following rogue links and downloading booby-trapped files.

“Customer trust is important to us and we take security seriously,” an Amazon spokesperson told Threatpost. “Customers do not need to take any action as their devices have been automatically updated with security fixes for this issue.”

Thursday’s notice is the first public disclosure of the flaw in accordance with Nightwatch Cybersecurity’s vulnerability disclosure guidelines.

“Most Kindle devices will automatically update to the latest version but users who disabled updates should update to the latest version,” researchers said.

Security researcher Yakov Shafranovich is credited with discovering the vulnerability.

Proof-of-Concept Attack

Researchers outlined the proof of concept for the attack in their post.

The attacker would not need physical access to the vulnerable Fire Tablet. However targets would need to be tricked to join a malicious WiFi network or be on the same public WiFi network as a victim.

Once the victim is  on the same local network, an attacker would need to install on a close proximity Linux host the small lightweight DNS server called Dnsmasq along with the Nginx web server software.

From there an attacker could modify the host’s “/etc/hosts” file to add an entry (192.168.1.x www.kindle.com, 192.168.1.x kindle.com) that in turn lets them map the Fire Tablet domain name to the Linux host -and track the unencrypted traffic from the vulnerable “Settings” sections. Then they can take it a step further by adding a file with malicious content to the domain.

“At this point – the [FireOS] device will resolve DNS against the Linux computer and serve the large servers file,” researchers said. From there, they could tap through any of the vulnerable settings sections and observe the injected content.

In other words, if the user were to look at the vulnerable Settings, or related sections of their device, they would see the injected content.

“The user needs to click terms of use or privacy policy links, those normally render web content that Amazon serves, instead the attacker’s web page would be served,” a spokesperson told Threatpost. “When the user taps those links, there is an embedded WebView which renders HTML content… instead it will render the attacker’s content.”

While the malicious content would be injected into the “Settings” sections of the Fire Tablet, it is “unknown if the attacker can pivot from there into other parts of the device,” researchers told Threatpost.

It’s not the first security issue that the popular e-readers have faced. In 2014, a researcher found that a security flaw in Amazon’s website could allow malicious links to be added to Kindle e-books – which could ultimately be used to compromise a person’s Amazon.com account.

Suggested articles