Amazon’s Kindle: Some Interesting Security Thoughts
My Kindle2 showed up yesterday. I un-boxed it, turned it on and within 3 minutes had downloaded my first book and was reading away (Thomas Barnett's "Great Powers," if you must know.)
So this morning after I checked my email on my other indispensable tool/toy, my iPhone, I realized something was missing from the Kindle: a password.
So you might think "Hoff, why would you need a password for a device that lets you read books?'
Well, while it's true that the majority of users will simply read "off-the-shelf" books/blogs/magazines they download from Amazon.com's storefront on their Kindles, there are a couple of other interesting scenarios that ran through my mind:
- To purchase a book using the Kindle, the device is linked to Amazon's One-Click purchase capability. This means that once I choose to purchase a book, I simply click "Buy" and it's delivered to the device, automagically charging my credit card. If I lost my device, someone who found it could literally download hundreds of books to the Kindle on my nickel until I am able to do something about it. This would be short-lived, but really annoying.
- It is possible using an Amazon web service to convert documents into the Kindle Format and download them over WhisperNet to your device. Given how convenient this is for reading, imagine what would happen if some crafty person decided to convert and download a sensitive document to the Kindle and then lose the device. Imagine if that document contained PII or other confidential/sensitive information? I wager we'll see a breach notification being issued based on someone losing a Kindle.
Yes, I know it's a piece of "consumer" equipment, but look a little further down the line: college students using it for textbooks and all sorts of other communications, business people using it for reading corporate materials, etc…
I am interested in exploring the following elements in the long term:
- An option for password-protected access to the device itself.
- A content-rating based password-controlled parental rating system for certain materials. My kids already grabbed my Kindle and (see #1 above) downloaded 3 kids books to it. I may not want them to read certain content.
- Remote self-destruct
- Encryption of content (at rest, in motion)
- Security of Whispernet itself
- WiFi (and it's attendant issues)
I'm sure as I dwell on this, there will be other issues that crop up, but the security wonk in me was in full gear this morning.
You have any other security shortcomings or concerns you've thought of re: the Kindle?
/Hoff
Categories: Uncategorized
Hoff!
I love the points, but one area of risk that leaps at me is what of that nifty conversion service? As an entrepreneur, security evangelist, and (I'm sorry) an Auditor I have been highly focused on these third party service providers. You bring up a good point of converting PII sensitive data and leaving it on the Kindle, but how is this conversion done – what privacy safeguards are in place (if any), and what of the data (as you state) in transit?
This, of course, is not the domain or marketed SLA of Amazon, but organization's may need to seriously consider how this affects their materials. One simple safeguard maybe to establish a simple passcode (easily known within the organization) that breaks the automated conversion process and thereby protects the data from ever leaving the business. A single nail for a very long board requiring security and assurance around the integrity of the system.
In IT Compliance and Controls, (full disclosure – my book) I dig deeply into vetting third party providers – cloud operators AND these types of application processors.
Interested in your thoughts and others…and congrats on the Kindle2!
James DeLuccia IV
Mos def, James…that's what I was hinting about as it relates to the conversion…what happens to the original document?
The Kindle (and devices like it) just highlight the impending acceleration of collisions in the enterprise between compliance/security and the consumerization of IT. The iPhone's doing it already. As these devices converge more functionality onto smaller and more portable platforms (as we've seen with "laptops") it will get more and more interesting.
Take the use of Netbooks and Cloud…wheeeeeeeee!
It's no different from losing a cell phone. You can login to Amazon.com and disassociate the Kindle from your account, blocking the 1-Click ability within minutes.
Amazon clearly didn't design Kindle for carrying confidential documents, and I doubt an edge case like high security environments make a lot of sense for a broadly available consumer device. There is probably a two pound NSA approved ebook reader that does everything you want.
That doesn't mean of course that someone won't try and use it for that purpose. 🙂
My biggest concern about the Kindle, aside from it’s weird, book-buring-esque name, is that it compromises the integrity of the written word. A printed book may be unwieldy, but you know that once it’s on your shelf, not one letter is going to change. Can’t say the same for the Kindle: http://urbzen.com/2009/02/09/amazon-kindle-privac…
Also, when I spill coffee all over a book, I’ve only ruined that particular book 🙂
I noted all these same issues within 30 minutes or so of receiving my Kindle in November of 2007, agree with you 100%. Additionally:
1. Amazon now have a copy of any document you convert. Who knows who can see it, if it's been stored somewhere it can be accessed, etc.?
2. Everything on the Kindle apparently runs as root; the device itself is accssible via USB/serial console during boot, and the filesystems are mountable via plugging the device into a computer via USB. Very easy to trojan (or even bot!) someone's Kindle.
3. If you use the Whispernet MVNO service carried across Sprint's EVDO network, note that when you browse the Internet using the Kindle browser, all of your traffic is apparently proxied via Amazon proxy servers (which is totally unnecessary, as EVDO uses routable IP addresses, unlike GSM 3G networks). So, Amazon are MITMing you.
4. People can see what you're reading, or planning on reading. People can plant potentially damaging documents/images/audio on the device in order to frame you, given that there's no security when the device is mounted via USB.
5. You've no idea if the Kindle 'phones home' via EVDO if you're reading with the EVDO enabled, or stores up behavioral information and then sends it home when you turn on EVDO or enter an EVDO service area. It's hard to investigate this without specialized equipment or investing the time to root the Kindle, since it uses EVDO exclusively, no WiFi capability.
6. The Kindle obvious has the ability to store and trasmit such behavioral information, given that now multiple Kindles on the same account can keep in sync with one another in terms of content on your Kindle, your current location inside a given book, etc. Amazon plan to extend this capability, along with the base ereader functionality, to other types of devices, over time.
Is this information encrypted in any way? If so, is it real encryption, or is it ROT13? Is it encypted only in flight, but at rest, as well?
7. If the Kindle is phoning home, are Amazon selling your behavioral data to advertisers? Even if they're not, are they mining it (in addition to the data you already consciously and voluntarily give them), and is it stored securely (for some value of 'secure')?
8. The Kindle allows you to highlight chunks of books/documents, annotate them with notes, and store them on the device. Are they DRMmed to your particular device, or are they just unencrypted text files, which can be accessed and downloaded via the USB mounting facility (I know which way I'd bet, heh).
9. I've never used the Kindle Web browser; does it let you store usernames/passwords/cookies for Web sites you access? If so, then they're sitting there on the flash, waiting to be downloaded via USB by anyone who can get hold of the device.
I could go on, but you get the point. The Kindle is apparently *intentionally designed* to be a sieve. So, if like me, you decide the convenience outweighs the risks, say conscious of those risks and take appropriate countermeasures.
BTW, I've an original Kindle, not a Kindle 2, so I don't know if any/all of the above issues still apply. Based on your post and reading posts of others, I believe they do, but I don't know that for a fact.
Awesome points/questions, Roland. The security v convenience trade-offs are getting more slippery these days. I wonder what browser engine the Kindle uses and how vulnerable it may be to web-based exploits and would that would/could mean to the device?
I haven't even bothered to Google for Kindle Hacks yet…
I don't know, but given the utter lack of thought given to security for the rest of the device, I wouldn't be surprised if it has some juicy exploits. Couple that with the fact that everything runs as root and all permissions seem to be 777 (you might want to verify that on your Kindle2), and it's eminently remotely-rootable, potentially.
After some debate with Hoff on twitter – I figured I should bring my comments here. I was moaning about FUD (Fear Uncertainty & Doubt) with regards to the comments made about the Kindle.
I feel like his comments are FUD because with a little research he could very easily have discovered that the holes he decided were there had mitigations or were misguided because they needed some research to see how things really worked.
Both Hoff and Roland support the idea that “security versus convenience trade-offs are getting more slippery these days.” This is a valid argument for dozens of consumer devices – iPhone, iTouch, U3 USB Keys all come to mind immediately.
I feel that Hoff highlights security flaws that are inherent to the device’s individual operational specs. The device doesn’t lock, you can’t control content, etc. Roland chooses to argue that the device is insecure because of the device’s operation on the network. In Roland’s case I had some trouble swallowing them:
1. Amazon now have a copy of any document you convert. Who knows who can see it, if it's been stored somewhere it can be accessed, etc.?
Amazon only has a copy of your documents if you opt to go with the method of sending them docs via email. It costs money. Amazon as well as multiple articles all within a google search show how easy it is to use mobi pocket creator to convert word, and pdf files over – and then with a easy drag and drop right into the kindle. BTW most pdfs just don’t look that goood – it’s a problem with the standard that Amazon chose.
Your response might be that’s too hard, who is going to do the research – if you are actively using the Kindle as a doc repository for docs that shouldn’t be out of your sight then you deserve what you get.
2. Everything on the Kindle apparently runs as root; the device itself is accssible via USB/serial console during boot, and the filesystems are mountable via plugging the device into a computer via USB. Very easy to trojan (or even bot!) someone's Kindle.
I can’t really argue this. I don’t understand it. I don’t know why they did it that way. Seems foolish for multiple reasons.
Now I will debate the statement Easy to Trojan (or even bot!) – hmm well I would not say easy – the preferred vector here would actually be to send you a doc through kindle email and attack that way. But then you need to know my kindle email for that – again with research I am sure you would have me. So now we are relying on Amazon to protect me – well since they have to open the doc/pdf to convert it – you are more likely to compromise them – doubtful first.
3. If you use the Whispernet MVNO service carried across Sprint's EVDO network, note that when you browse the Internet using the Kindle browser, all of your traffic is apparently proxied via Amazon proxy servers (which is totally unnecessary, as EVDO uses routable IP addresses, unlike GSM 3G networks). So, Amazon are MITMing you
Hmm Amazon MITMing me – I like that. Oh wait I am buying their product on their network and reading it on their device (I own it yes but the device is only for Amazon content – much to my dismay). Were I to hazard a guess the only time I ever leave the Amazon network is when I launch the web browser. So yes they are proxying my traffic – they are seeing all my google reader traffic.
4. People can see what you're reading, or planning on reading. People can plant potentially damaging documents/images/audio on the device in order to frame you, given that there's no security when the device is mounted via USB
Hunh, I don’t really understand this. Look at my desk, you can see what I am reading – although you won’t find that I have a small place in my heart for teenage sci-fi fantasy novels – I didn’t get enough as a teen so I still read them now.
5. You've no idea if the Kindle 'phones home' via EVDO if you're reading with the EVDO enabled, or stores up behavioral information and then sends it home when you turn on EVDO or enter an EVDO service area. It's hard to investigate this without specialized equipment or investing the time to root the Kindle, since it uses EVDO exclusively, no WiFi capability.
Of course it phones home – Amazon wants your marketing information just like everybody else. I actually don’t know this to be fact. I would worry more about the fact that the Kindle has GPS (not really but sorta GPS) where oh where has my poor cheating SO gone with her Kindle so I can come and keel her secret lover….
As noted by Amazon:
“The Device Software will provide Amazon with data about your Device and its interaction with the Service (such as available memory, up-time, log files and signal strength) and information related to the content on your Device and your use of it (such as automatic bookmarking of the last page read and content deletions from the Device). Annotations, bookmarks, notes, highlights, or similar markings you make in your Device are backed up through the Service. Information we receive is subject to the Amazon.com Privacy Notice.”
6. The Kindle obvious has the ability to store and trasmit such behavioral information, given that now multiple Kindles on the same account can keep in sync with one another in terms of content on your Kindle, your current location inside a given book, etc. Amazon plan to extend this capability, along with the base ereader functionality, to other types of devices, over time.
Is this information encrypted in any way? If so, is it real encryption, or is it ROT13? Is it encypted only in flight, but at rest, as well?
See my answer to question 5. The real value here is what are your preferences so that they can sell more stuff to you. Why should it be encrypted – it’s a series of numbers identifying your kindle & your accounts token – nothing of value here – well other than the fact that I just ordered a subscription to the Atlantic and the New York Times and I need my Kindle updated.
7. If the Kindle is phoning home, are Amazon selling your behavioral data to advertisers? Even if they're not, are they mining it (in addition to the data you already consciously and voluntarily give them), and is it stored securely (for some value of 'secure')?
I am going to defer to Amazon on this one:
“Information about our customers is an important part of our business, and we are not in the business of selling it to others….Protection of Amazon.com and Others: We release account and other personal information when we believe release is appropriate to comply with the law; enforce or apply our Conditions of Use and other agreements; or protect the rights, property, or safety of Amazon.com, our users, or others….With Your Consent: Other than as set out above, you will receive notice when information about you might go to third parties, and you will have an opportunity to choose not to share the information.”
And finally
“How Secure Is Information About Me?
We work to protect the security of your information during transmission by using Secure Sockets Layer (SSL) software, which encrypts information you input.
We reveal only the last five digits of your credit card numbers when confirming an order. Of course, we transmit the entire credit card number to the appropriate credit card company during order processing.”
8. The Kindle allows you to highlight chunks of books/documents, annotate them with notes, and store them on the device. Are they DRMmed to your particular device, or are they just unencrypted text files, which can be accessed and downloaded via the USB mounting facility (I know which way I'd bet, heh).
Your clippings are .txt files that you can pull right off the Kindle when in USB mode. Why would you DRM to a particular Kindle?
9. I've never used the Kindle Web browser; does it let you store usernames/passwords/cookies for Web sites you access? If so, then they're sitting there on the flash, waiting to be downloaded via USB by anyone who can get hold of the device
The Kindle browser blows. There is no way to say anything good about it. The little configuration it does allow is choosing basic versus advanced mode.
• Set Default View Mode – lets you choose between Advanced and Basic View Modes.
• Clear Cache: Delete temporary Internet files from Kindle browser's cache.
• Clear History: Delete Internet address entries from Kindle browser.
• Clear Cookies: Delete cookies from the Kindle's browser.
• Enable Javascript: In Advanced Mode you can enable execution of Javascript on the pages you visit. Choosing to enable Javascript will probably slow down your browsing speed.
• Show Images: Lets images on pages appear – again, slows down browsing.
In all fairness to Amazon – to get to the browser you have to choose Experimental. I am not sure how security works for everyone but common sense 2.0 tells me that when I find stuff under experimental I shouldn’t trust it with my super secret stuff.
As a side I can’t find password on mine – maybe I will do a deeper dive with some other tools.
Those security requirements are way beyond those of the average consumer who already uses Amazon.com to buy books and now wants to read them electronically. As Roland wrote, the convenience of Kindle outweighs the very small security exposure at this time.
The new Kindle app for iPhone now gives one the ability to read Kindle books on a device which can be configured with a 4-digit PIN, which is an improvement.
And since one can force one's Kindle app traffic through the iPhone/iPod touch WiFi interface, one now has the ability to capture and analyze all the Kindle traffic to/from the app, which will be useful in investigating matters further.
I think Amazon got "Remote self-destruct" taken care of, at least in part, since they can delete books (it's not entirely clear if the remote delete capability only applies to DRM'd books bought from Amazon; i.e. is it part of the DRM scheme, or is it part of the Kindle operating system?).
By the way, can you log into your WordPress installation using Kindle? I have tried a few times to log into my own WordPress blog with my new Kindle 2, and I can't seem to (and I double-triple checked my password), even though I can log into Twitter and GMail. I wonder if this is some sort of a bug/"feature" of Amazon's proxy server that Kindle uses …
I really want to convert and upload some docs to my Kindle, but I'm unsure about the privacy. So alas, it's not happening until I know for sure that no one else can see my docs at any stage of conversion and upload.