CISO Update #39
Weaponized eBooks

One of the recurring themes of these monthly updates has been the growing arsenal of methods that bad guys have at their disposal to attack us. This month brings together two of those methods: IoT devices and unverified content.

IoT stands for “internet of things” and refers to all those non-computer devices that connect to the internet, and therefore are vulnerable to cyber attack. These devices range from thermostats to medical devices. In many cases the manufacturers really don’t make security a consideration at all. Take the example of the Wi-Fi-enabled hot tub that we covered in January 2019, that could be used as a gateway to your wireless network. Even companies that do a good job with security will miss something from time to time, as we discussed last month. In this case the company is Amazon, which accidentally left a vulnerability in its Kindle e-reader. As discussed in this Threatpost article, researchers discovered that a specially designed eBook could be used to hijack a Kindle, using it to join botnets, steal Amazon credentials, or spy on Wi-Fi networks it joins.  

The other attack method is unverified content. The internet is a great place to download free recipes, program utilities, movies, or other media. So many platforms offer self-published user content, and unfortunately most of these file types can be used to hide malware. Per the Threatpost article, the researchers realized that most anti-virus software doesn’t scan eBooks, so if an attacker can get you to download a weaponized eBook, the game is over. (Note: Most anti-virus software will scan many popular media types, like photos and videos.) And, since most e-reader appliances like Kindle and Nook don’t run anti-virus software anyway, a weaponized eBook becomes a very effective attack method. This is especially true since eBooks can target readers of a particular language or interest group.

What can you do? 

  1. If a device ever goes on the internet, make sure you update its software. Set it to update itself if the feature is offered, or set periodic reminders for yourself. Attackers bank on the fact that lots of people won’t patch vulnerabilities.

  2. Don’t download content from unverified sources. Photos, songs, movies, and books can all be weaponized. Be especially careful of self-published titles. They’re probably fine, but you can never be sure.

The internet has democratized information in unprecedented ways. More people can produce more devices and content than ever before. However, attackers will always be looking for a way to take advantage of that, and our continued vigilance is the best defense.

About Cybersafe
The Division of Information Technology is dedicated to informing the community of the latest cybersecurity threats. Visit and stay tuned for emails from for the latest from the Cybersafe campaign at FIT. Read past issues here.