[ad_1]
How safe is your e-reader? A workforce of safety researchers curious to discover e-book safety analyzed free EPUB studying functions and bodily e-readers and located that many apps do not adjust to safety suggestions, and a few standard functions are weak to exploitation.
Gertjan Franken and Tom Van Goethem are doctoral college students with imec-DistriNet at KU Leuven in Belgium. Their mission started when Franken was desirous about his personal e-reader and the way e-books are rendered. Some preliminary studying revealed the topic space shared commonalities with different subjects they had been exploring as a part of their Ph.D. program, so that they determined to dig into it.
“I mentioned with Tom, and we shortly found that quite a lot of these functions aren’t truly as safe as they need to be,” Franken says in an interview with Darkish Studying.
Their investigation consisted of a large-scale research wherein they analyzed 97 free EPUB studying functions throughout seven platforms, in addition to 5 bodily e-readers.
“Earlier than, there was not likely that a lot current analysis on the safety of e-book studying techniques,” Van Goethem says. “We needed to discover the way in which we wished to judge these studying techniques from scratch.”
The workforce analyzed the EPUB functions utilizing a semi-automated framework they constructed. They discovered half of the functions weren’t compliant with safety suggestions of the EPUB specification. For instance, a malicious e-book can leak native file system info in 16 of the functions they evaluated.
Whereas semi-automation helped velocity issues up, Franken notes it additionally let some vulnerabilities slip by way of the cracks. When an attacker chooses a goal, he says, they analyze an software themselves. Because of this, the workforce determined so as to add guide analysis to their analysis.
“I additionally assume that is the extra fascinating half … we discovered some fascinating vulnerabilities there,” Franken provides.
To exhibit the severity of their outcomes, Franken and Van Goethem carried out three case research wherein they manually exploited the preferred software on three platforms: Amazon Kindle, Apple Books, and the browser extension EPUBReader for Chrome and Firefox.
One of many flaws with the biggest affect was within the browser extension, Van Goethem notes. A bug he says is difficult to take advantage of might let an attacker entry info on different websites the goal is logged onto, if the sufferer uploads a malicious EPUB software to the extension. He says they contacted the creator of the appliance, although it is unclear if a patch can be launched.
Classes LearnedOne of the important thing takeaways from this research was the significance of getting automation proper, says Franken. They wished to make the analysis as seamless as attainable, however this was troublesome for the EPUB functions as a result of their interfaces are fairly completely different, he explains. Ironing out the problems with automation was probably the most difficult side of the mission to this point, he says.
The sheer measurement of the research was one other problem, provides Van Goethem. As a result of they’re in tutorial analysis, their foremost aim typically is to completely perceive a whole ecosystem. This implies once they conduct a research, it is usually at a big scale to incorporate as a lot of the ecosystem as attainable.
“That is why we did not simply analyze the e-reading techniques themselves, however we additionally tried to gather a really massive set of EPUBs from the wild,” he says. The workforce downloaded completely different torrents, and obtained EPUBs in methods different customers may attempt to receive them, and analyzed these to see if there was any malicious exercise.
Thankfully, he says, they did not discover any ongoing assaults however given their findings, it appears this may be an space for attackers to presumably transfer into sooner or later.
Franken and Van Goethem will current their analysis at Black Hat Europe in an upcoming speak entitled “How Your E-book May Be Studying You: Exploiting EPUB Studying Methods.”
[ad_2]