If you’re a Waze user, listen up! A new exploit has been found that could make it easy for hackers to track your location whenever you’re using the popular Google-owned navigation app. The exploit uses an HTTPS proxy to carry out a “man-in-the-middle” attack to track Waze users in real-time.
Researchers at University of California-Santa Barbara found that they were able to interrupt the SSL-encrypted communications link between a user’s smartphone and Waze servers. Once the researchers got their foot in the door, so to speak, they were able to reverse-engineer Waze’s protocol to enable them to talk directly with the servers that run the social-heavy navigation app.
Having cracked the code on how Waze servers communicate with users and how those users interact with each other, the researchers were then able to create their own army of thousands of fake “ghost cars” using what is in essence a virtual smartphone to roam around Waze’s real-time map. Not only could ghost cars issue fake reports or cause traffic jams on the digital map that don’t actually exist in the real world, but they could also be used to track unsuspecting users whenever they are actively using the app.
Flooding Waze with false data isn’t new; Miami police performed similar shenanigans last year to show their disdain for the app.
UC-Santa Barbara computer science professor Ben Zhao decided to test out his team’s findings with real Waze users, and used one of his own graduate students as a guinea pig. Using the hack, Zhao was able to [with permission] accurately track the whereabouts of his student. “He drove 20 to 30 miles and we were able to track his location almost the whole time. He stopped at gas stations and a hotel.”
The ghost cars were able to track this grad student location because Waze displays your location to other users due to the social nature of the app. By having enough ghost cars around any particular user in effect allows them to be tracked at any given time. The only way around this it to set your Waze account to invisible, but this option is reset every time you restart the app. And since a user probably wouldn’t remember to disable the option every time they opened the app, that leaves scores of users vulnerable.
“You could scale up to real-time tracking of millions of users with just a handful of servers,” Zhao added. “If I wanted to, I could easily crawl all of the U.S. in real time. I have 50-100 servers, and could get more from [Amazon Web Services] and then I could track all of the drivers.”
Currently, the exploit is only possible if Waze is currently running in the foreground on your smartphone. That’s a given if you’re using your smartphone in your car on a daily basis during your commute or when running errands. Google, however, closed an even more disturbing loophole which allowed users to be tracked when the application was running in the background.
For its part, a Google spokesman told Fusion, “The concept of Waze is that we all work together to share information and impact the world around us. Users expect to offer certain information about their route in exchange for unparalleled navigation assistance.”