The Fire Tablet (formerly known as the Kindle Fire) is Amazon’s budget slate that runs on Amazon’s FireOS operating system. Researchers with Nightwatch Cybersecurity on Thursday said that the FireOS operating system is open to a limited context man-in-the-middle attack, where an attacker could secretly relay and possibly alter communications to inject malicious content.
The issue was discovered in FireOS v18.104.22.168 in September and fixed by the vendor in v22.214.171.124, which was released in November 2018. Public disclosure of the vulnerability was Thursday Feb. 7.
The root cause of the vulnerability, CVE-2019-7399, is in the setting section of FireOS, which lacks HTTPS for some content, researchers said. “While monitoring network traffic on a test device, we observed that several calls from the settings section are done without HTTPS and can be injected with malicious content by an MitM attacker,” according to a post outlining the flaw.
These settings lack HTTPS, which encrypts data between the browser and website. That in turn leaves traffic and the serial number of the device wide open for remote attackers to observe and tamper with.
MitM attacks can be used not only to manipulate content, but have been used to inject malicious code into targeted devices or used to coax victims into following rogue links and downloading booby-trapped files.
“Customer trust is important to us and we take security seriously,” an Amazon spokesperson told Threatpost. “Customers do not need to take any action as their devices have been automatically updated with security fixes for this issue.”
Thursday’s notice is the first public disclosure of the flaw in accordance with Nightwatch Cybersecurity’s vulnerability disclosure guidelines.
“Most Kindle devices will automatically update to the latest version but users who disabled updates should update to the latest version,” researchers said.
Security researcher Yakov Shafranovich is credited with discovering the vulnerability.
Researchers outlined the proof of concept for the attack in their post.
The attacker would not need physical access to the vulnerable Fire Tablet. However targets would need to be tricked to join a malicious WiFi network or be on the same public WiFi network as a victim.
Once the victim is on the same local network, an attacker would need to install on a close proximity Linux host the small lightweight DNS server called Dnsmasq along with the Nginx web server software.
From there an attacker could modify the host’s “/etc/hosts” file to add an entry (192.168.1.x www.kindle.com, 192.168.1.x kindle.com) that in turn lets them map the Fire Tablet domain name to the Linux host -and track the unencrypted traffic from the vulnerable “Settings” sections. Then they can take it a step further by adding a file with malicious content to the domain.
“At this point – the [FireOS] device will resolve DNS against the Linux computer and serve the large servers file,” researchers said. From there, they could tap through any of the vulnerable settings sections and observe the injected content.
In other words, if the user were to look at the vulnerable Settings, or related sections of their device, they would see the injected content.
While the malicious content would be injected into the “Settings” sections of the Fire Tablet, it is “unknown if the attacker can pivot from there into other parts of the device,” researchers told Threatpost.
It’s not the first security issue that the popular e-readers have faced. In 2014, a researcher found that a security flaw in Amazon’s website could allow malicious links to be added to Kindle e-books – which could ultimately be used to compromise a person’s Amazon.com account.