Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Encryption Google Software Transportation Communications Networking Wireless Networking Technology

Millions Of Waze Users Can Have Their Movements Tracked By Hackers (fusion.net) 55

An anonymous reader quotes a report from Fusion: Researchers at the University of California-Santa Barbara recently discovered a Waze vulnerability that allowed them to create thousands of "ghost drivers" that can monitor the drivers around them -- an exploit that could be used to track Waze users in real-time. Here's how the exploit works. Waze's servers communicate with phones using an SSL encrypted connection, a security precaution meant to ensure that Waze's computers are really talking to a Waze app on someone's smartphone. Zhao and his graduate students discovered they could intercept that communication by getting the phone to accept their own computer as a go-between in the connection. Once in between the phone and the Waze servers, they could reverse-engineer the Waze protocol, learning the language that the Waze app uses to talk to Waze's back-end app servers. With that knowledge in hand, the team was able to write a program that issued commands directly to Waze servers, allowing the researchers to populate the Waze system with thousands of "ghost cars" -- cars that could cause a fake traffic jam or, because Waze is a social app where drivers broadcast their locations, monitor all the drivers around them. You can read the full paper detailing the researchers' findings here. Is there a solution to not being tracked? Yes. If you're a Waze user, you can set the app to invisible mode. However, Waze turns off invisible mode every time you restart the app so beware.
This discussion has been archived. No new comments can be posted.

Millions Of Waze Users Can Have Their Movements Tracked By Hackers

Comments Filter:
  • "You can switch to invisible mode at any time, which means for that specific drive: (1) you will appear as offline to your friends; (2) your Waze icon will show on the map; (3) you will not be able to send reports, add/edit places, or send messages to friends and other Wazers." #2 doesn't make any sense to me. Do I need Ron Weasley to snag me the invisibility cloak?
  • Broken by design (Score:3, Insightful)

    by Anonymous Coward on Tuesday April 26, 2016 @11:32PM (#51993787)
    This wouldn't be a problem if the app wasn't designed to track your whereabouts and broadcast them. I'm not sure I have much sympathy for anyone using the app who is surprised by this, since tracking you and sending your info to others is the app's stated purpose.
    • by Anonymous Coward on Tuesday April 26, 2016 @11:45PM (#51993825)

      And that's a price I'm willing to pay if it means I can use the absolute best car navigation tool on the planet. It has saved me dozens of hours of time in traffic. I use it even when I know exactly where I am going because in Houston, you never know where the horrendous car accident which shuts down 3 lanes for an hour is going to be.

      • by Anonymous Coward

        It is of little to no help in Austin, especially when compared to a local traffic service that watches roads and can show bottlenecks on a webpage.

        The app demands to know where you are 24/7, even when not using the app, and it wants you to identify yourself. Why should I allow an unknown third party to have knowledge of where I am at all times, with permission (as per the EULA) where that info can be handed/sold to anyone that Waze so pleases? I'm gaining little to no benefit for this.

        There are too many i

  • by Anonymous Coward

    Okay, someone at their IRB failed to run this by their legal department.

    Because you really should not be committing a felony during your research. https://www.law.cornell.edu/uscode/text/18/1030

    • by AK Marc ( 707885 )
      What's the issue. They reverse engineered a protocol, then emulated thousands of users. I saw nothing in the law that prevents emulating a user. They essentially accessed Waze using an API. It's just that the publicly accessible API wasn't expected to be used. And like most data, 1000x innocent data becomes something creepy. Like walking on the sidewalk isn't creepy, but walking past the same house 1000 times is.
  • You're only supposed to blow the bloody doors off!

  • Easy answer: use an offline satnav app.

    How hard can it be? Everybody and their dogs know Waze is a user profiler / tracker disguised as a useful app - like all Google products.

    In fact. If you're worried about being tracked, don't use Google products. People should be more worried about what Google learns about them through Waze than what any potential hackers of that system could.

  • Millions of Waze users can have their movements tracked by other Waze users #noissuethere

    (The protocol reverse engineer and the ability to spoof extra cars are news worthy, I'd guess - but the headline is completely pointless)

  • Nothing really new here. Many things are possible if you can insert yourself in the data stream. But without breaking into data centers how are you going to do this?

    • by Macdude ( 23507 )

      Exactly, the real story here:

      Google too stupid to prevent man-in-the-middle attack on Waze.

  • Millions Of Waze Users Can Haz Their Movements Tracked By Hackers

  • by 110010001000 ( 697113 ) on Wednesday April 27, 2016 @07:25AM (#51995445) Homepage Journal
    Oh no...someone could track WazeUser83840 using an application that is meant to track their location. I found another hack: you can use Find my iPhone to find someones iPhone. The horror!
  • Spoiler: I go to work. Later, I go home.
  • They found a way to populate the Waze with hundreds of fake cars and create a ghost traffic jam. They could easily use this method to clear a path in any city anytime. They could create a derivative app that will let the users clear a way and sell it at a much higher price. Instead, they went ahead and babbled all over the world. Now a good opportunity to earn some serious money is lost for ever for every one.

    Lose lips sink ships. Hacking boast, dollars lost.

  • I thought the whole point of Waze was that you could see where other drivers (including perhaps certain people you want to track) are. It puts an icon representing you on the road (with your choice of avatar) for others to see. It doesn't exactly take mad haxxor skillz to track someone with Waze, it just takes an account.

    If you only want a single big company to track you, that's what Google Maps is for.

  • So, Waze need to have the app properly implement SSL Certificate Pinning (in order to prevent a MITM SSL proxy that works via an additional Certificate Authority). Of course then it's likely still vulnerable to some reverse engineering of the app to get around that.

As of next Tuesday, C will be flushed in favor of COBOL. Please update your programs.