If you’re navigating via the popular Israeli application known as Waze, then you’re at risk of being followed by hackers, research published by the website Fusion shows.
- Waze under attack: Israeli students fake traffic jam on popular map app
- TechNation: Waze now alerting drivers to dangerous roads
- Maybe Waze should determine Israel's borders
Researchers at the University of California-Santa Barbara discovered a vulnerability that allowed them to create thousands of “ghost drivers” on the application that can monitor the drivers around them. The same method can be used to track Waze users in real-time.
They proved their finding to Fusion writer Kahmir Hill by tracking her own movements around San Francisco and Las Vegas over a three-day period.
“It’s such a massive privacy problem,” Ben Zhao, the professor of computer science who led the research team, said.
It’s not the first time a bug has been reported about Waze. In a 2014 prank, two Israeli software engineering majors launched a cyberattack on the application which caused it to report a nonexistent traffic jam.
Nimrod Partush, who initiated that cyberattack, told Haaretz at the time he was confident Waze would resolve the problem.
But, not so fast, it seems.
The Santa Barbara team has found it is possible to monitor communications between cellphones and Waze’s servers by getting the phone to accept their own computer as a go-between in the connection. Once in between the phone and the Waze servers, they could reverse-engineer the Waze protocol, learning the language that the Waze app uses to talk to Waze’s back-end app servers.
With that knowledge in hand, the California team was able to write a program that issued commands directly to Waze servers, allowing the researchers to populate the Waze system with thousands of “ghost cars”—cars that could cause a fake traffic jam or, because Waze is a social app where drivers broadcast their locations, monitor all the drivers around them.
Just like the students at the Technion, the American researchers also managed to create fake traffic jams, Fusion writes.
The scary part, said Zhao, is that “we don’t know how to stop this.” He said that servers that interact with apps in general are not as robust against attack as those that are web-facing.
“Not being able to separate a real device from a program is a larger problem,” said Zhao. “It’s not cheap and it’s not easy to solve. Even if Google wanted to do something, it’s not trivial for them to solve. But I want them to get this on the radar screen and help try to solve the problem. If they lead and they help, this collective problem will be solved much faster than if they don’t.”
In response, Waze told Fusion that “Waze constantly improves its mechanisms and tools to prevent abuse and misuse. To that end, Waze is regularly in contact with the security and privacy research community—we appreciate their help protecting our users.”
“This group of researchers connected with us in 2014, and we have already addressed some of their claims, implementing safeguards in our system to protect the privacy of our users.”
Waze added that “users expect to offer certain information about their route in exchange for unparalleled navigation assistance.” According to Waze, the app employs a “system of cloaking” so that a user’s location as displayed on the application "from time to time" doesn't represent their actual location.
Smartphone forensic scientist Jonathan Zdziarski argued though that it may not be so unexpected for Waze to monitor your movements.
“Waze is building their platform to be social so that you can track people around you. By definition this is going to be possible,” Zdziarski said.
“The crowd sourced tools that are being used in these types of services definitely have these types of data vulnerabilities.”