Waze is an awesome driving app that also lets hackers stalk you

Elena Scotti/FUSION

I use and love Waze every day to make driving in Los Angeles manageable for me. I still use it despite periodic bursts of tech news reports that the app leaves me vulnerable to security attacks and surveillance.

I'm not alone: millions of other people use Waze, too. Today, Fusion's Kashmir Hill reports that I and my fellow millions all run the risk of having hackers track our movements. I'm digging in my closet right now, rooting around for my old Thomas Bros maps.

Researchers at the University of California-Santa Barbara recently discovered a Waze vulnerability that allowed them to create thousands of “ghost drivers” that can monitor the drivers around them—an exploit that could be used to track Waze users in real-time. They proved it to me by tracking my own movements around San Francisco and Las Vegas over a three-day period.

“It’s such a massive privacy problem,” said Ben Zhao, professor of computer science at UC-Santa Barbara, who led the research team.

Here’s how the exploit works. Waze’s servers communicate with phones using an SSL encrypted connection, a security precaution meant to ensure that Waze’s computers are really talking to a Waze app on someone’s smartphone. Zhao and his graduate students discovered they could intercept that communication by getting the phone to accept their own computer as a go-between in the connection. Once in between the phone and the Waze servers, they could reverse-engineer the Waze protocol, learning the language that the Waze app uses to talk to Waze’s back-end app servers. With that knowledge in hand, the team was able to write a program that issued commands directly to Waze servers, allowing the researchers to populate the Waze system with thousands of “ghost cars”—cars that could cause a fake traffic jam or, because Waze is a social app where drivers broadcast their locations, monitor all the drivers around them.

"If you use Waze, hackers can stalk you" [fusion]≈

Notable Replies

  1. Even worse, it could lead to another bad remake of The Italian Job.

  2. Just another reason to uninstall it. Its routing sucks. It once told me to make an illegal left turn over a concrete median, from a right-turn-only intersection. It routinely tries to take me several blocks out of my way, just to avoid a left turn at a traffic light, on a little-used street. Its interface is cartoonish and difficult to read. Its warnings are usually wrong, or expired.

    As its traffic info is now available in Google Maps, I don't see any reason for it to take up space on my phone.

  3. It could also be used to reroute you around the fake traffic jam, into the ambush.

  4. I'm also not a fan of the fact that the iOS version of the app limits your choices on how you permit it to use location services. You can allow it always, or never. That's it. Unlike many apps, there's no option to only allow location usage while the app is active.

  5. That one's because of the community editors. Not to give them a hard time. It's like wikipedia. Most of the time it's great. And sometimes ... :construction:

    I don't know about Maps because I don't use it for my commute but Google figured out my commute and "helpfully" gives me a heads up (in the form of a notification that usually sounds alarmingly like a text message) whenever it thinks there's anything that might obstruct my commute.

Continue the discussion bbs.boingboing.net

23 more replies