Kindle and malicious hot spots

[Julius Caesar]

What could a hacker do if I inadvertently use a wifi hotspot that has been compromised by hackers? How do I protect my Kindle from being remotely accessed by hackers? There is no anti virus or firewall for the Kindle, especially Kindle ereader.

EDIT: I have Kindle Oasis latest firmware

[knc1]

Quote:

Originally Posted by Julius Caesar

What could a hacker do if I inadvertently use a wifi hotspot that has been compromised by hackers?

How do I protect my Kindle from being remotely accessed by hackers?

There is no anti virus or firewall for the Kindle, especially Kindle ereader.

Too vague -
give sufficient context, such as model/firmware and compromised in what fashion.

What makes you think that is possible?

Now what makes you think there is no firewall?
Just because nobody charges you extra for it or because you don't have any (factory) options to change it?

= = = =

tl;dr:
Nothing
Not possible
Dead wrong

[geekmaster]

Our forum talks about the built-in firewall plenty often, including how to tweak it to allow SSH over wifi for root shell on the kindles. As we explain, you need the real root password when doing that, which indicates that the firewall is more strict for wifi than it is for USBnet, so your fears are unfounded in this case (but not in all cases, as Edward Snowden has demonstrated).

However, I am curious why you want to "borrow" wifi bandwidth from potentially compromised wifi hotspots. You can be tracked and identified anyway, because wifi protocols leak your MAC address.

[knc1]

The recommended (by myself and NiLuJe the author) is to use pub-key authorization -
It is the first choice for the IGG (instant gratification generation) it just works, nearly instantly.

Does not require changes to the files in the Amazon image (which will be replaced by the next OTA update) just leave the disabled password authentication in the Kindle alone.

See directions in the USBnet package and/or the numerous threads written here on the subject of ssh on the Kindle.

[geekmaster]

Quote:

Originally Posted by knc1

The recommended (by myself and NiLuJe the author) is to use pub-key authorization -
It is the first choice for the IGG (instant gratification generation) it just works, nearly instantly.

Does not require changes to the files in the Amazon image (which will be replaced by the next OTA update) just leave the disabled password authentication in the Kindle alone.

See directions in the USBnet package and/or the numerous threads written here on the subject of ssh on the Kindle.

I had that working once, but I generally just login using the computed password. I have hundreds of kindles and setting up pub-keys is an extra step. However, it is certainly much more convenient for the few MOST USED kindles.

[knc1]

Who said you have to use a different pub-key pair for every kindle?

[geekmaster]

Quote:

Originally Posted by knc1

Who said you have to use a different pub-key pair for every kindle?

Ahh.. <light goes on over head> That would avoid all those SSH key change warnings wouldn't it?

[Yourcat]

Each ssh server should have it's own private key. If you use the same IP address for 2-n Kindles the client should warn you that the server key changed. Using host names could avoid this - not sure whether you already gave a cute name to every Kindle.
I have no idea when the key is generated and whether it survives reboots.

[Yourcat]

@Julius: A hacker may install a backdoor on your Kindle and use it to compute bitcoins if he gets access. He may have setup a special crafted firmware server and your Kindle may install his custom firmware/ransomware.
Anyhow hackers are likely not interested in Kindles readers with very limited resources.

[knc1]

The firewall blocks unrelated, inbound traffic.

If you have my BBB (Block Big Brother) package installed, it includes a 'report' function that will print the current iptable rules.

[eschwartz]

Well, anything you actually do over the internet can be snooped on. Obviously.

But as said above, the Kindle actually does include a very strict firewall. It is such a Windows mentality to think you'd need a manually-installed firewall.


The only thing you are at risk for, is a malicious individual discovering a remote exploit that can be triggered entirely from the browser.

But don't laugh -- Amazon once included the Native Bridge in the browser, which allowed someone to run a shell command via javascript!
The forum members who were active at the time reported it, got a CVE number and everything, and Amazon had it fixed.
(That one was way too dangerous to keep around as a jailbreak exploit. )

Also, Branch Delay's jailbreak. Which was likewise reported and fixed before being released as a jailbreak.
It was also slightly harder to trigger.

[Yourcat]

Actually Kindle creates outgoing connections (to Amazon servers) which one could terminate on a local server and send custom replies. No need to penetrate the firewall. As we have seen one could delete developer keys. Locking the device could also be possible.

[geekmaster]

Quote:

Originally Posted by Yourcat

Actually Kindle creates outgoing connections (to Amazon servers) which one could terminate on a local server and send custom replies. No need to penetrate the firewall. As we have seen one could delete developer keys. Locking the device could also be possible.

The only safe thing to do is keep airplane mode on. Even secure traffic is decrypted as it travels through the amazon proxy, and they could do code injection if they wanted to. That is the price you pay for convenience, and many people openly accept those terms.

If a local server is hacked, you are doomed anyway, even on a PC. Internet explorer shows a green "secure" icon even with a bad cert if only one hop away (so your ISP can spy on your HTTPS connections and you still think your browser is secure) -- another reason to use firefox (or better, TOR).

No matter how careful you are, the NSA knows better.

[knc1]

Quote:

Originally Posted by geekmaster

- - - - -
No matter how careful you are, the NSA knows better.

Similar to trying to teach an old hound dog how to suck eggs.

[eschwartz]

Quote:

Originally Posted by Yourcat

Actually Kindle creates outgoing connections (to Amazon servers) which one could terminate on a local server and send custom replies. No need to penetrate the firewall. As we have seen one could delete developer keys. Locking the device could also be possible.

I think most of that is encrypted. At least, the sensitive stuff.
And updates are signed with Amazon's keys which we don't have and are baked into the initramfs.