Register Guidelines E-Books Search Today's Posts Mark Forums Read

Go Back   MobileRead Forums > E-Book Readers > Amazon Kindle

Notices

Reply
 
Thread Tools Search this Thread
Old 01-24-2012, 02:36 PM   #1
thebestjeter
Addict
thebestjeter ought to be getting tired of karma fortunes by now.thebestjeter ought to be getting tired of karma fortunes by now.thebestjeter ought to be getting tired of karma fortunes by now.thebestjeter ought to be getting tired of karma fortunes by now.thebestjeter ought to be getting tired of karma fortunes by now.thebestjeter ought to be getting tired of karma fortunes by now.thebestjeter ought to be getting tired of karma fortunes by now.thebestjeter ought to be getting tired of karma fortunes by now.thebestjeter ought to be getting tired of karma fortunes by now.thebestjeter ought to be getting tired of karma fortunes by now.thebestjeter ought to be getting tired of karma fortunes by now.
 
Posts: 206
Karma: 757546
Join Date: Sep 2010
Device: Kindle 3 Wifi and Kindle DX Graphite
Kindle Touch: messy firmware, unsecure device

I was going to buy myself a Kindle Touch, but since I have found out how easy would be to install a hack on it from the Internet and take remotely control of the device, I am not longer considering it as an option.

If you guys want the long story, you should read here, here and here (well, in Spanish, but you can use Google Translator).

Basically, someone can take advantage of the Mp3 player vulnerability of the Kindle Touch and install a hack using a MP3 file when you are using the Web Browser. This hack would start running once you device goes to sleep mode.

This hack could steal my credit card number, my Amazon account information and even buy things and have them shipped to a different shipping address.

Actually, it's said here:


Quote:
As a developer, I find that would be extremely simple to take total control of the device, in order to, for instance, try to obtain the credit card number that you use to buy with 1-Click . It would be as easy as to put a malicious MP3 file on the Internet. This Mp3 files would install an update that would allow to take remotely control of the device. Nothing unreasonable, so take great care when you are using the browser, because the Webkit isn't really secure.
After all, the Kindle Touch has a messy firmware

I'm really dissapointed and upset.

I think I'm going to buy a Sony this time.
thebestjeter is offline   Reply With Quote
Old 01-24-2012, 02:46 PM   #2
toadhall
Member
toadhall can teach chickens to fly.toadhall can teach chickens to fly.toadhall can teach chickens to fly.toadhall can teach chickens to fly.toadhall can teach chickens to fly.toadhall can teach chickens to fly.toadhall can teach chickens to fly.toadhall can teach chickens to fly.toadhall can teach chickens to fly.toadhall can teach chickens to fly.toadhall can teach chickens to fly.
 
toadhall's Avatar
 
Posts: 18
Karma: 3550
Join Date: Nov 2011
Location: Kuala Lumpur, Malaysia
Device: iPad, Kindle Touch
Wasn't the MP3 hack disabled in the latest 5.0.3 firmware?

Also, why would you want to put strange MP3s you downloaded off the internet on to your Touch?
toadhall is offline   Reply With Quote
 
Advertisement
Old 01-24-2012, 04:12 PM   #3
nynaevelan
eBook Junkie
nynaevelan ought to be getting tired of karma fortunes by now.nynaevelan ought to be getting tired of karma fortunes by now.nynaevelan ought to be getting tired of karma fortunes by now.nynaevelan ought to be getting tired of karma fortunes by now.nynaevelan ought to be getting tired of karma fortunes by now.nynaevelan ought to be getting tired of karma fortunes by now.nynaevelan ought to be getting tired of karma fortunes by now.nynaevelan ought to be getting tired of karma fortunes by now.nynaevelan ought to be getting tired of karma fortunes by now.nynaevelan ought to be getting tired of karma fortunes by now.nynaevelan ought to be getting tired of karma fortunes by now.
 
nynaevelan's Avatar
 
Posts: 1,503
Karma: 1462646
Join Date: May 2010
Location: USA
Device: Kindle Fire 6 2014, Kindle PW2, Galaxy Note 3
Quote:
Originally Posted by toadhall View Post

Also, why would you want to put strange MP3s you downloaded off the internet on to your Touch?
Also, the kindle is no different than other devices as I've seen from reading the boards. It seems they are all open to be hacked, rooted, jailbroken or whatever they are calling it. But the key is, they are not vulnerable shipped from the manufacturer, they become vulnerable when the user chooses to jailbreak, hack, root them. Therefore, if you do not use strange files where you cannot verify the source, then you are in no danger.
nynaevelan is offline   Reply With Quote
Old 01-24-2012, 04:18 PM   #4
Rebecca_06
Member
Rebecca_06 began at the beginning.
 
Posts: 18
Karma: 10
Join Date: Jan 2012
Device: Sony PRS-300, Kindle Touch
Quote:
Originally Posted by toadhall View Post
Wasn't the MP3 hack disabled in the latest 5.0.3 firmware?
Yes, this has been fixed by Amazon.

However, in reference to the OP's Sony comment, I can't recommend the Sony ereaders enough, particularly if you use Calibre. I love my KT, but I'm quite sad that it doesn't play very nicely with Calibre, and it's difficult to manage my collections. Like anything else, the KT is good for some people and not so good for others, depending on how you like to manage your library.
Rebecca_06 is offline   Reply With Quote
Old 01-24-2012, 04:49 PM   #5
thebestjeter
Addict
thebestjeter ought to be getting tired of karma fortunes by now.thebestjeter ought to be getting tired of karma fortunes by now.thebestjeter ought to be getting tired of karma fortunes by now.thebestjeter ought to be getting tired of karma fortunes by now.thebestjeter ought to be getting tired of karma fortunes by now.thebestjeter ought to be getting tired of karma fortunes by now.thebestjeter ought to be getting tired of karma fortunes by now.thebestjeter ought to be getting tired of karma fortunes by now.thebestjeter ought to be getting tired of karma fortunes by now.thebestjeter ought to be getting tired of karma fortunes by now.thebestjeter ought to be getting tired of karma fortunes by now.
 
Posts: 206
Karma: 757546
Join Date: Sep 2010
Device: Kindle 3 Wifi and Kindle DX Graphite
Quote:
Originally Posted by nynaevelan View Post
Therefore, if you do not use strange files where you cannot verify the source, then you are in no danger.
Not quite. What the guy I'm liking to is arguing is that since the Kindle Touch has such a messy firmware, if you are visiting a web site using the Kindle Web Browser that have a MP3 player playing music in the background and that MP3 files is a malicious one, that MP3 files could install a hack onto your Kindle in order to take remotely control of it. That is, he is not talking about a file you have sideloaded onto your Kindle, but a file that you come across when you are using the Web Browser.

Even more, this hack could be installed without actually downloading anything to your Kindle. The only thing needed is that you visit that site with a malicious Mp3 files playing in the background.

That is the risk and it is really serious.

Last edited by thebestjeter; 01-24-2012 at 04:58 PM.
thebestjeter is offline   Reply With Quote
Old 01-24-2012, 05:10 PM   #6
yifanlu
Kindle Dissector
yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.
 
Posts: 662
Karma: 170717
Join Date: Jul 2010
Device: Amazon Kindle 3
Quote:
Originally Posted by thebestjeter View Post
I was going to buy myself a Kindle Touch, but since I have found out how easy would be to install a hack on it from the Internet and take remotely control of the device, I am not longer considering it as an option.

If you guys want the long story, you should read here, here and here (well, in Spanish, but you can use Google Translator).

Basically, someone can take advantage of the Mp3 player vulnerability of the Kindle Touch and install a hack using a MP3 file when you are using the Web Browser. This hack would start running once you device goes to sleep mode.

This hack could steal my credit card number, my Amazon account information and even buy things and have them shipped to a different shipping address.

Actually, it's said here:




After all, the Kindle Touch has a messy firmware

I'm really dissapointed and upset.

I think I'm going to buy a Sony this time.
I'm appealed at the amount of disinformation that one paragraph you quoted contains. I don't have the time to read all the stuff, but I'll break down the quote.

Quote:
As a developer,
For the reasons I've listed below, I hope you stick with developing and not "analyzing" other people's works until you have a better understanding of things.

Quote:
I find that would be extremely simple to take total control of the device, in order to, for instance, try to obtain the credit card number that you use to buy with 1-Click .
Your credit card number is NOT stored anywhere close to your kindle. It's secure and encrypted on Amazon's servers. The worst a thief can do is buy kindle books using your account (which amazon has been known to refund) and that's assuming that they have complete control over your device, which means physically stealing your device.

Quote:
It would be as easy as to put a malicious MP3 file on the Internet.
You MUST manually download and copy a "malicious" MP3 to the device using USB. The internet browser doesn't allow playing or downloading MP3s. Even if you download a malicious MP3 and copy it to the USB, you can see something is odd when you find that the song name as shown by Explorer or Finder is gibberish.

Quote:
This Mp3 files would install an update that would allow to take remotely control of the device.
First of all, 5.0.3 has fixed the MP3 exploit, but that is besides the point. A hacker that wants control of your device will most likely do a targeted attack. Which means the hacker knows you and wants something specific from YOUR kindle. This is because it is not economically viable to do a mass kindle hack. Hackers would make more money hacking something like android phones or iphones. The worst they can do with complete control of your device is 1) copy your books, 2) find out what you're reading, and 3) make kindle book purchases under your device (again, refundable by amazon and this is just as if the hacker physically stole your device).

Quote:
Nothing unreasonable, so take great care when you are using the browser, because the Webkit isn't really secure.
WebKit is one of the most secure web rendering systems. Why? Because it is used by Google Chrome, Safari, Android, iphones and so much more. The reason why people have a notion that it is unsecure is because there are webkit "exploits" announced often. This is because of the popularity of the platform, there are more attackers targeting it. AND most of these exploits are useless as they require a specific condition that is not easily satisfied, especially on a stripped down device like the kindle. (Believe me, I tried using dozens of webkit exploits to hack the Kindle and none worked).

If I have the time, I'll translate the site posted by OP and post out more reasons why the arguments it presented are filled with inaccuracies, baseless assumptions, and uneducated lies.

Last edited by yifanlu; 01-24-2012 at 05:12 PM.
yifanlu is offline   Reply With Quote
Old 01-24-2012, 05:45 PM   #7
thebestjeter
Addict
thebestjeter ought to be getting tired of karma fortunes by now.thebestjeter ought to be getting tired of karma fortunes by now.thebestjeter ought to be getting tired of karma fortunes by now.thebestjeter ought to be getting tired of karma fortunes by now.thebestjeter ought to be getting tired of karma fortunes by now.thebestjeter ought to be getting tired of karma fortunes by now.thebestjeter ought to be getting tired of karma fortunes by now.thebestjeter ought to be getting tired of karma fortunes by now.thebestjeter ought to be getting tired of karma fortunes by now.thebestjeter ought to be getting tired of karma fortunes by now.thebestjeter ought to be getting tired of karma fortunes by now.
 
Posts: 206
Karma: 757546
Join Date: Sep 2010
Device: Kindle 3 Wifi and Kindle DX Graphite
Quote:
Originally Posted by yifanlu View Post

If I have the time, I'll translate the site posted by OP and post out more reasons why the arguments it presented are filled with inaccuracies, baseless assumptions, and uneducated lies.
Thank you very much, Yifanlu.

I hope you'll have the time to do so.
thebestjeter is offline   Reply With Quote
Old 01-24-2012, 05:45 PM   #8
rfog
Evangelist
rfog ought to be getting tired of karma fortunes by now.rfog ought to be getting tired of karma fortunes by now.rfog ought to be getting tired of karma fortunes by now.rfog ought to be getting tired of karma fortunes by now.rfog ought to be getting tired of karma fortunes by now.rfog ought to be getting tired of karma fortunes by now.rfog ought to be getting tired of karma fortunes by now.rfog ought to be getting tired of karma fortunes by now.rfog ought to be getting tired of karma fortunes by now.rfog ought to be getting tired of karma fortunes by now.rfog ought to be getting tired of karma fortunes by now.
 
Posts: 404
Karma: 238214
Join Date: Aug 2007
Location: Elda - Alicante (Spain)
Device: PB903, K2, K3, K2i, KDX, iPad, Q1U, X51v, TM2
Quote:
Originally Posted by yifanlu View Post
I'm appealed at the amount of disinformation that one paragraph you quoted contains. I don't have the time to read all the stuff, but I'll break down the quote.


For the reasons I've listed below, I hope you stick with developing and not "analyzing" other people's works until you have a better understanding of things.


Your credit card number is NOT stored anywhere close to your kindle. It's secure and encrypted on Amazon's servers. The worst a thief can do is buy kindle books using your account (which amazon has been known to refund) and that's assuming that they have complete control over your device, which means physically stealing your device.


You MUST manually download and copy a "malicious" MP3 to the device using USB. The internet browser doesn't allow playing or downloading MP3s. Even if you download a malicious MP3 and copy it to the USB, you can see something is odd when you find that the song name as shown by Explorer or Finder is gibberish.


First of all, 5.0.3 has fixed the MP3 exploit, but that is besides the point. A hacker that wants control of your device will most likely do a targeted attack. Which means the hacker knows you and wants something specific from YOUR kindle. This is because it is not economically viable to do a mass kindle hack. Hackers would make more money hacking something like android phones or iphones. The worst they can do with complete control of your device is 1) copy your books, 2) find out what you're reading, and 3) make kindle book purchases under your device (again, refundable by amazon and this is just as if the hacker physically stole your device).


WebKit is one of the most secure web rendering systems. Why? Because it is used by Google Chrome, Safari, Android, iphones and so much more. The reason why people have a notion that it is unsecure is because there are webkit "exploits" announced often. This is because of the popularity of the platform, there are more attackers targeting it. AND most of these exploits are useless as they require a specific condition that is not easily satisfied, especially on a stripped down device like the kindle. (Believe me, I tried using dozens of webkit exploits to hack the Kindle and none worked).

If I have the time, I'll translate the site posted by OP and post out more reasons why the arguments it presented are filled with inaccuracies, baseless assumptions, and uneducated lies.
@yifanlu, I'm the developer has said KT is unsecure, based in reading your messages.

If you read in depth my messages in Spanish, I'm talking about potential problems, not true and real ones.

Hypotetically talking, one malicious website can take control of your Kindle using some Webkit vulnerability allowing write into user partition the tar update file that will install whatever thing website wants.

Other way, thebestjeter is catalogued as troll by a lot of people in Lectores Electronicos (origin of the discussion), and now he is trolling here in a try to discredit me by any reason I cannot imagine. For me, the issue is closed.

Do not lose time in this subject.
rfog is offline   Reply With Quote
Old 01-24-2012, 07:31 PM   #9
yifanlu
Kindle Dissector
yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.
 
Posts: 662
Karma: 170717
Join Date: Jul 2010
Device: Amazon Kindle 3
I'm sorry for being harsh. Again, I did not read the whole site and my entire post was based on that one quote. I am also sorry if that quote did not represent your entire opinion. However, I do not like scaring users with "potential" attacks. Some don't know better and think and a potential attack means it will be reality in a week.
yifanlu is offline   Reply With Quote
Old 01-25-2012, 04:03 AM   #10
HarryT
eBook Enthusiast
HarryT ought to be getting tired of karma fortunes by now.HarryT ought to be getting tired of karma fortunes by now.HarryT ought to be getting tired of karma fortunes by now.HarryT ought to be getting tired of karma fortunes by now.HarryT ought to be getting tired of karma fortunes by now.HarryT ought to be getting tired of karma fortunes by now.HarryT ought to be getting tired of karma fortunes by now.HarryT ought to be getting tired of karma fortunes by now.HarryT ought to be getting tired of karma fortunes by now.HarryT ought to be getting tired of karma fortunes by now.HarryT ought to be getting tired of karma fortunes by now.
 
HarryT's Avatar
 
Posts: 64,915
Karma: 42992227
Join Date: Nov 2006
Location: UK
Device: Kindle Voyage, iPad Mini, iPhone 4, MS Surface Pro, N7
Quote:
Originally Posted by thebestjeter View Post
Basically, someone can take advantage of the Mp3 player vulnerability of the Kindle Touch and install a hack using a MP3 file when you are using the Web Browser. This hack would start running once you device goes to sleep
Your information is rather out of date. The vulnerability you refer to was fixed in the 5.0.3 firmware update.
HarryT is offline   Reply With Quote
Old 01-25-2012, 04:20 AM   #11
Zippity
Beginner
Zippity began at the beginning.
 
Zippity's Avatar
 
Posts: 18
Karma: 12
Join Date: Dec 2011
Location: New Zealand
Device: Sony PRS-T1 (SWMBO) & Kindle Touch (Me)
Appalled and "appealed" mean completely different things
Zippity is offline   Reply With Quote
Old 01-25-2012, 06:02 AM   #12
toadhall
Member
toadhall can teach chickens to fly.toadhall can teach chickens to fly.toadhall can teach chickens to fly.toadhall can teach chickens to fly.toadhall can teach chickens to fly.toadhall can teach chickens to fly.toadhall can teach chickens to fly.toadhall can teach chickens to fly.toadhall can teach chickens to fly.toadhall can teach chickens to fly.toadhall can teach chickens to fly.
 
toadhall's Avatar
 
Posts: 18
Karma: 3550
Join Date: Nov 2011
Location: Kuala Lumpur, Malaysia
Device: iPad, Kindle Touch
thebestjeter, are you still going to get a Sony reader now?
toadhall is offline   Reply With Quote
Old 01-25-2012, 06:43 AM   #13
HarryT
eBook Enthusiast
HarryT ought to be getting tired of karma fortunes by now.HarryT ought to be getting tired of karma fortunes by now.HarryT ought to be getting tired of karma fortunes by now.HarryT ought to be getting tired of karma fortunes by now.HarryT ought to be getting tired of karma fortunes by now.HarryT ought to be getting tired of karma fortunes by now.HarryT ought to be getting tired of karma fortunes by now.HarryT ought to be getting tired of karma fortunes by now.HarryT ought to be getting tired of karma fortunes by now.HarryT ought to be getting tired of karma fortunes by now.HarryT ought to be getting tired of karma fortunes by now.
 
HarryT's Avatar
 
Posts: 64,915
Karma: 42992227
Join Date: Nov 2006
Location: UK
Device: Kindle Voyage, iPad Mini, iPhone 4, MS Surface Pro, N7
Quote:
Originally Posted by toadhall View Post
thebestjeter, are you still going to get a Sony reader now?
Both the Kindle Touch and the Sony PRS-T1 are very nice readers indeed. It basically boils down to one's preference in bookstores. Personally I think that Amazon have by far the best bookstore, which is why I have a Kindle Touch. If one's preference is for ePub books, the T1 is an equally good choice.
HarryT is offline   Reply With Quote
Old 01-25-2012, 11:45 AM   #14
JoeD
Guru
JoeD ought to be getting tired of karma fortunes by now.JoeD ought to be getting tired of karma fortunes by now.JoeD ought to be getting tired of karma fortunes by now.JoeD ought to be getting tired of karma fortunes by now.JoeD ought to be getting tired of karma fortunes by now.JoeD ought to be getting tired of karma fortunes by now.JoeD ought to be getting tired of karma fortunes by now.JoeD ought to be getting tired of karma fortunes by now.JoeD ought to be getting tired of karma fortunes by now.JoeD ought to be getting tired of karma fortunes by now.JoeD ought to be getting tired of karma fortunes by now.
 
Posts: 883
Karma: 4235574
Join Date: Nov 2007
Device: Hanlin v3, iPad, Kindle 4NT
Keep in mind security flaws exist in pretty much every device going. You could remotely hack/root an iOS device not too long ago just by visiting a webpage in safari that contained a crafted pdf document, other browsers have had font, css and javascript exploits.

The only reason to put off a purchase is if the company behind the product keeps their head in the sand rather that accepting the flaw and issuing an update.
JoeD is offline   Reply With Quote
Old 01-25-2012, 11:53 AM   #15
HarryT
eBook Enthusiast
HarryT ought to be getting tired of karma fortunes by now.HarryT ought to be getting tired of karma fortunes by now.HarryT ought to be getting tired of karma fortunes by now.HarryT ought to be getting tired of karma fortunes by now.HarryT ought to be getting tired of karma fortunes by now.HarryT ought to be getting tired of karma fortunes by now.HarryT ought to be getting tired of karma fortunes by now.HarryT ought to be getting tired of karma fortunes by now.HarryT ought to be getting tired of karma fortunes by now.HarryT ought to be getting tired of karma fortunes by now.HarryT ought to be getting tired of karma fortunes by now.
 
HarryT's Avatar
 
Posts: 64,915
Karma: 42992227
Join Date: Nov 2006
Location: UK
Device: Kindle Voyage, iPad Mini, iPhone 4, MS Surface Pro, N7
Quote:
Originally Posted by JoeD View Post
Keep in mind security flaws exist in pretty much every device going. You could remotely hack/root an iOS device not too long ago just by visiting a webpage in safari that contained a crafted pdf document, other browsers have had font, css and javascript exploits.
Some of the claims made, though, were wrong. Even before the MP3 ID3-tag scripting exploit was fixed, you couldn't "infect" a Kindle by visiting a site which played an MP3 as background music, as claimed, for the simple reason that the Kindle's browser doesn't play music, and will make no attempt to load such a file.
HarryT is offline   Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Messy Format as Book vs Doc rtudor Kindle Fire 2 12-27-2011 06:14 PM
Torn: Nook Simple Touch, Kindle Touch, Basic Kindle dblb48 Which one should I buy? 12 12-13-2011 03:34 PM
Kindle Touch in Device Manager on Amazon.com SubElement Amazon Kindle 1 10-24-2011 09:30 AM
Kindle 3, Nook Simple Touch, Kobo Touch and Libra Pro Touch jbcohen Which one should I buy? 4 06-18-2011 08:58 PM
Messy / corrupt author sort sweevo Calibre 2 09-03-2010 05:55 PM


All times are GMT -4. The time now is 01:25 AM.


MobileRead.com is a privately owned, operated and funded community.