So I hacked a Kindle - Blogs

I have finally succumbed to peer pressure and for my birthday I ordered myself a Kindle. This turned up yesterday and so far I am happy with it. It does not have the new book smell (but apparently there is a solution to that :-D). Anyway, this is not meant to be a review on the Kindle. What I want to focus on is  the Amazon Send-to-Kindle service.

The Amazon Send-to-Kindle service allows you (and your "approved contacts") to e-mail personal documents to your Kindle. These documents are then automatically downloaded on to your Kindle with out so much as a whisper. The Amazon Help states:

You must ensure that:

• You have approved the sender's e-mail address. Learn More.
• You gave the sender your Send-to-Kindle e-mail address.
• Your document is a supported file type. Learn More.

This all seems quite handy and it is certainly something I can see myself making use of. Your kindle email address by default is automatically created for you and only the e-mail address you use to log in to your Amazon account can send to it. So where's the issue?

Well the issue is there in plain sight, if someone knows my kindle address AND my e-mail address then they can send as many files to my Kindle as they like. I am surprised at just how many people do not realise how easy it is to spoof e-mails, even though they receive hundreds of spam and scam emails every week. It's simple, for example in thunderbird:

1. Go to Account settings
2. Click "Manage Identities..."
3. Click "Add..."
4. Enter what ever email address you like and click Ok

Now start composing a new email and you should be about to select with e-mail address you want to send out as. Granted, most people don't think of this as you'll never be able to receive the replies. However, in the case of the Send-to-Kindle we don't need to receive the response, just the ability to convince Amazon's service that the target sent the email.

Getting someones Amazon e-mail is fairly straight forward, as in 99% of cases it will be their primary e-mail address (be it work or personal). The harder job is working out their @kindle.com address. For me this was fairly straight forward, as Amazon attempts to use the local-part of you login address, so if the address you use to log in to amazon is g.i.joe@cobra.tv then Amazon will attempt to create g.i.joe@kindle.com. However, if your address is john.smith@wannadoo.com, you will probably already be aware of how many John Smiths there are and the likelihood is that there may already be a Kindle owner called John Smith who will already have john.smith@kindle.com. If this is the case, Amazon attempts to find an available address by appending numbers, so in the case of our John Smith, he could end up with john.smith_52@kindle.com. This means that if you have an uncommon email address, it is quite probable that the local-part of each address will be the same.

This means that your Kindle becomes open to abuse.

 

How to protect yourself

Thankfully, Amazon does not inform the sender if the addresses do not match, but informs the owner of the @kindle.com address that they need to add the address to the "Approved Contacts" list. The other thing that Amazon offer is the ability to change your Send-to-Kindle address, thus allowing you to implement at least some level of security through obscurity. Details of how to do this can be found here.

Now, at this point most people seem fairly satisfied, but this is where my paranoia kicks in. The method above describes a process that would be carried out by a human and really only by people that know you. However, if you step back a bit and remember that all e-mails pass across the public Internet and also how easily e-mails can be snooped then we have a worrying problem ahead of us. The issue is that an e-mail's envelope will always need to include the recipients address, as well as the sender's. Thus it is possible that a hacker/bot could easily sniff the traffic and gather the required paired  addresses to perform the above abuse with anyone's email credentials.

So far, the only serious issue that immediately occurs is that it's possible is to fill a Kindles storage space. Though if a virus is created specific to Kindles, I fear that every single Kindle is immediately at risk.

There are only two real world risks that I can see. The first is the equivalent of spam e-mail and the 2nd is a little more in the realms of MI5 or CIA.

 

The Scam

The scam works in a very similar vein to e-mail scams, although I feel it could catch more people. Lets say that Mr Scammer has been monitoring a network's traffic for emails being sent to addresses @kindle.com. After a period of time, he feels that he has collected enough @kindle.com addresses with their corresponding source address. He then composes a document that looks remarkably like the Kindles EULA and prefixes the paragraph:

Amazon EULA Addendum

This is an updated agreement between you (the Kindle user) and us (Amazon). You are required read this and the confirm by going to the following address:

http://amazon-eula.co.uk/confirm

...

So assuming Mr Scammer has set up the domain amazon-eula.co.uk to be a good copy of the Amazon site, we have now entered the realms of how a scam works, and as this site looks legit and the Kindle is more than just an e-mail client, I think more people have a higher trust level for the document and would be taken in by this Phishing scam.

 

Espionage

   
Firstly I will admit that this is a little more far fetched, but the theory is there. There are confidential documents in this world which should never be in your possession and simply having them can get you into lots of trouble. There are also documents that could implicate your involvement in crime, if found in your possesion.
So if you wanted to cause trouble for someone or even maybe frame them, why not drop these types of document to a targets Kindle? I won't go further into this one, as the method is described earlier in this document. However, this scenario is far from just living in the world of fiction.