Millions Of Waze Users Can Have Their Movements Tracked By Hackers

An anonymous reader quotes a report from Fusion: Researchers at the University of California-Santa Barbara recently discovered a Waze vulnerability that allowed them to create thousands of "ghost drivers" that can monitor the drivers around them -- an exploit that could be used to track Waze users in real-time. Here's how the exploit works. Waze's servers communicate with phones using an SSL encrypted connection, a security precaution meant to ensure that Waze's computers are really talking to a Waze app on someone's smartphone. Zhao and his graduate students discovered they could intercept that communication by getting the phone to accept their own computer as a go-between in the connection. Once in between the phone and the Waze servers, they could reverse-engineer the Waze protocol, learning the language that the Waze app uses to talk to Waze's back-end app servers. With that knowledge in hand, the team was able to write a program that issued commands directly to Waze servers, allowing the researchers to populate the Waze system with thousands of "ghost cars" -- cars that could cause a fake traffic jam or, because Waze is a social app where drivers broadcast their locations, monitor all the drivers around them. You can read the full paper detailing the researchers' findings here. Is there a solution to not being tracked? Yes. If you're a Waze user, you can set the app to invisible mode. However, Waze turns off invisible mode every time you restart the app so beware.

From the Waze help page on invisible mode.

[techvet]

"You can switch to invisible mode at any time, which means for that specific drive: (1) you will appear as offline to your friends; (2) your Waze icon will show on the map; (3) you will not be able to send reports, add/edit places, or send messages to friends and other Wazers." #2 doesn't make any sense to me. Do I need Ron Weasley to snag me the invisibility cloak?

Re:Slashdot is alarmist

[Motherfucking Shit]

There are lots of stories about how the government is supposedly taking away our freedoms and a police state is coming. That police state hasn't happened.

Last year in America, the police stole^Wconfiscated more money and belongings from citizens through civil forfeiture than burglars stole. America has secret courts issuing secret warrants and serving secret orders that no one is allowed to talk about. Police are driving around using secret equipment to intercept cellphone calls and text messages, demonstrably without warrants. Cops in Chicago arrest and "disappear" citizens into a black hole of a dungeon facility called Homan Square, without even their lawyers being told where they are.

If you don't see the police state, you simply aren't fucking looking.

They run lots of stories about how Microsoft is tracking people and doing bad things with data collected through telemetry. That hasn't happened.

How do you know? None of us have any idea what Microsoft is doing with that data.

Re:

[bill_mcgonigle]

That police state hasn't happened.

Aside from Waze streaming all of its users' position updates to the NSA via its Israel office, right?

Nobody reads the Terms of Service anymore.

Broken by design

[Anonymous Coward]

This wouldn't be a problem if the app wasn't designed to track your whereabouts and broadcast them. I'm not sure I have much sympathy for anyone using the app who is surprised by this, since tracking you and sending your info to others is the app's stated purpose.

Re: Broken by design

[Anonymous Coward]

And that's a price I'm willing to pay if it means I can use the absolute best car navigation tool on the planet. It has saved me dozens of hours of time in traffic. I use it even when I know exactly where I am going because in Houston, you never know where the horrendous car accident which shuts down 3 lanes for an hour is going to be.

Re:

[Anonymous Coward]

It is of little to no help in Austin, especially when compared to a local traffic service that watches roads and can show bottlenecks on a webpage.

The app demands to know where you are 24/7, even when not using the app, and it wants you to identify yourself. Why should I allow an unknown third party to have knowledge of where I am at all times, with permission (as per the EULA) where that info can be handed/sold to anyone that Waze so pleases? I'm gaining little to no benefit for this.

There are too many i

What?

[Anonymous Coward]

Okay, someone at their IRB failed to run this by their legal department.

Because you really should not be committing a felony during your research. https://www.law.cornell.edu/uscode/text/18/1030

Re:

[AK Marc]

What's the issue. They reverse engineered a protocol, then emulated thousands of users. I saw nothing in the law that prevents emulating a user. They essentially accessed Waze using an API. It's just that the publicly accessible API wasn't expected to be used. And like most data, 1000x innocent data becomes something creepy. Like walking on the sidewalk isn't creepy, but walking past the same house 1000 times is.

Re:

[DrXym]

Waze is absolutely commercial in nature. Users might get to use it for free but they are giving up valuable information in return - where they drive, where they live, where they work, what hours of the day they drive, what hotels, stores and supermarkets they visit or pass by, where they fill up, traffic conditions and more besides. Waze could even make strong inferences about a person's lifestyle, job and character by how they drive, places they've visit and their susceptibility to change routes if the app

Re:

[jafiwam]

Err. Waze is non commercial in nature. It is a navigation app, not a commercial app selling or buying stuff

Uhnm... ads? Locations on the map, plus pop-ups at traffic stops.

Re:

[AK Marc]

There is no authorization, so unauthorized access is everyone, including regular users of the app.

Re:

[karmatic]

The CFAA limits itself to protected computers, which largely applies to government, but does have a section for "knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access".

There was no intent to defraud here.

Alternatively, there is another section,

"knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;
(B) intentiona

The Italian job, anyone?

[spongman]

You're only supposed to blow the bloody doors off!

Solution to not being tracked?

[Rosco P. Coltrane]

Easy answer: use an offline satnav app.

How hard can it be? Everybody and their dogs know Waze is a user profiler / tracker disguised as a useful app - like all Google products.

In fact. If you're worried about being tracked, don't use Google products. People should be more worried about what Google learns about them through Waze than what any potential hackers of that system could.

Re:Solution to not being tracked?

[110010001000]

Really? The point of Waze is not navigation. It is real time alerts on the presence of police, traffic, disabled vehicles, etc.

Re:Solution to not being tracked?

[jratcliffe]

I would argue that the point of Waze IS navigation, optimized for real-time conditions.

Meanwhile, in other news...

[Pope Raymond Lama]

Millions of Waze users can have their movements tracked by other Waze users #noissuethere

(The protocol reverse engineer and the ability to spoof extra cars are news worthy, I'd guess - but the headline is completely pointless)

Man in the middle

[pcjunky]

Nothing really new here. Many things are possible if you can insert yourself in the data stream. But without breaking into data centers how are you going to do this?

Re:

[Macdude]

Exactly, the real story here:

Google too stupid to prevent man-in-the-middle attack on Waze.

Headline correction

[wonkey_monkey]

Millions Of Waze Users Can Haz Their Movements Tracked By Hackers

Oh no

[110010001000]

Oh no...someone could track WazeUser83840 using an application that is meant to track their location. I found another hack: you can use Find my iPhone to find someones iPhone. The horror!

Re:

[Scoth]

It can do voice commands, which requires the microphone. You can post pictures of accidents, traffic, etc which requires the camera. You can send notifications about arrival times and traffic jams to contacts via SMS and various social media platforms, and it can use those platforms to link up friends as well as post the arrival check-ins that people find popular. One of the issues of Android permissions is it's tricky to know exactly what they plan on doing with the access once they get it. An app may want

Spoiler Alert

[mschoolbus]

Spoiler: I go to work. Later, I go home.

Iditoic myopic researchers.

[140Mandak262Jamuna]

They found a way to populate the Waze with hundreds of fake cars and create a ghost traffic jam. They could easily use this method to clear a path in any city anytime. They could create a derivative app that will let the users clear a way and sell it at a much higher price. Instead, they went ahead and babbled all over the world. Now a good opportunity to earn some serious money is lost for ever for every one.

Lose lips sink ships. Hacking boast, dollars lost.

But that's the POINT of Waze

[T.E.D.]

I thought the whole point of Waze was that you could see where other drivers (including perhaps certain people you want to track) are. It puts an icon representing you on the road (with your choice of avatar) for others to see. It doesn't exactly take mad haxxor skillz to track someone with Waze, it just takes an account.

If you only want a single big company to track you, that's what Google Maps is for.

Re:

[Webs 101]

The positions of the Waze icons aren't live. They are delayed a few minutes for a bit of privacy from other users.

Re:

[RayHs]

Um, isn't Waze owned by Google?

SSL Certificate Pinning

[Athanasius]

So, Waze need to have the app properly implement SSL Certificate Pinning (in order to prevent a MITM SSL proxy that works via an additional Certificate Authority). Of course then it's likely still vulnerable to some reverse engineering of the app to get around that.