How Your E-book Might Be Reading You: Exploiting EPUB Reading Systems

Presented at Black Hat Europe 2021, Nov. 11, 2021, 3:20 p.m. (40 minutes).

In recent years, global e-book sales have shot through the roof and e-book reading applications have sprouted like mushrooms. EPUB, the most popular open e-book format, is supported by free applications on virtually any device, ranging from desktops to smartphones. But how sure are we that these e-books aren't actually reading us?

To answer this question, we analyzed 97 free EPUB reading applications across seven platforms and five physical e-readers using a self-developed semi-automated testbed. It turns out that half of these applications are not compliant with the security recommendations of the EPUB specification. For instance, a malicious e-book is able to leak local file system information in 16 of the evaluated applications.

To further demonstrate the severity of these results, we also performed three case studies in which we manually exploited the most popular application on three different platforms (e.g. Amazon Kindle, Apple Books, and EPUBReader for Chrome and Firefox). Moreover, we demonstrate that distributing malicious e-books through official e-book vendors is very much feasible through self-publishing.


Presenters:

  • Tom Van Goethem - PhD Student, imec-DistriNet, KU Leuven
    Tom Van Goethem (@tomvangoethem) is a researcher with the DistriNet group at KU Leuven in Belgium, mainly focusing on practical side-channel attacks against web applications and browsers. By exposing flaws that result from the unintended interplay of different components or network layers, Tom aims to bring us closer to a more secure web that we all deserve. He has given presentations at various venues such as Black Hat USA and Asia, OWASP Global, and USENIX Security.
  • Gertjan Franken - PhD Student, imec-DistriNet, KU Leuven
    Gertjan Franken is currently active as a PhD student at imec-DistriNet, KU Leuven. His main interests lie in the field of web security and privacy. More specifically, he spends most of his time automating the evaluation of browser security and privacy policies.

Links:

Similar Presentations: