The Kindle isn’t ever considered the most secure of devices. Even here on this site you’ll find many hacks for Kindles from the first generation forward. Still, this might be the first time I can think of that there has been a hole in the device’s security that poses a genuine problem for both users and Amazon.
heise Security has recently released some proof of concept code that demonstrates the potential for remotely exploiting Kindle Touch devices. This is a problem occurring in the most recent Kindle Touch 5.1.0 firmware. The vulnerability allows commands to be injected into the eReader through the WebKit browser. These commands are then executed at the root level, essentially giving malicious code total control over your Kindle.
Amazon is aware of the problem and working on a patch. Considering the first indications that there might be a problem to fix came up as early as April, according to the MobileRead forums, they are clearly taking their time about it. Various reports indicate that there may be some difficulty getting the patch pushed to Kindle Touch users, but until we know more about Amazon’s response that may be speculation.
There are no indications at this time that anybody has managed to create malicious code directed at Kindle Touch users. While some speculation has revolved around turning Kindles into nodes in massive botnet attacks, that is just potential at this stage. There are, of course, measures you can take to protect yourself.
The most obvious solution to keeping safe until this is fixed would be to avoid the internet. Turning off your wireless connection, whether WiFi or 3G, will save you battery life and put your mind at ease. If you don’t find that appealing, sticking to Amazon’s services and trusted sites will also go a long way toward security.
If that is not enough and something more drastic is desired, there is a way to patch the hole yourself. For complete instructions, head over to MobileRead and learn about jailbreaking your device. Ironically, it seems that the most common jailbreaking method right now also uses the exploit in question. Once you have gained root privileges for your Kindle Touch, however, a tool has been uploaded in this thread that should disable browser-based exploitation from remote sites.
This is probably not a big deal for most users. It has the potential to turn into something major for Amazon. A properly made piece of malware could theoretically turn their Kindle Touch line into an internet attack network. This would be a PR nightmare and cost an unbelievable amount thanks to the free 3G these devices enjoy, but the limitations of the exploit as it is currently understood make it unlikely that any personal information could be stolen or that users could in other ways be easily harmed.
Exercise safe browsing habits and wait for Amazon to issue a firmware update. New Kindle Touch units are already shipping with 5.1.1 firmware and that will likely be making its way to existing customers soon enough. Some reports indicate that this update will patch the security hole, though that is not yet confirmed.