Waze has become one of the most popular GPS navigation applications for mobile users, with millions of drivers using the app across multiple platforms, including iOS, BlackBerry OS, Windows Phone, and of course Android OS. With such popularity comes great responsibility for user privacy, but worryingly enough, a new Waze vulnerability has been found by researchers in California, which can technically allow hackers to track a driver’s movement in real time.
Researchers at the University of California, Santa Barbara, have recently uncovered a Waze vulnerability which can be exploited by hackers in order to intercept a user connection with the Waze servers, thus tracking the driver’s movements in real time. More specifically, the way Waze works is by communicating with a user’s smartphone through an SSL encrypted connection, which should, theoretically, prevent such scenarios from happening. However, Ben Zhao, professor of computer science at the University of California, Santa Barbara, and his research team consisting of graduate students recently uncovered an exploit that allowed them to intercept a Waze SSL encrypted connection by getting a smartphone to accept a local computer as a “middleman” for the said connection with the Waze servers. This allowed the research team to reverse-engineer the Waze protocol, write a program that can issue commands to the Waze servers, and thus populate the system with thousands of fake “ghost cars”. These ghost cars can then be used to track drivers around them, and can even cause fake traffic jams. This is a “massive privacy problem”, according to Ben Zhao, not only because the exploit can allow hackers to track a driver in real time, but also due to the fact that the vulnerability can be used to manipulate and redirect traffic.
Furthermore, Ben Zhao determined that the exploit is difficult to detect, which means that “anyone could be doing this [exploiting the vulnerability] right now”. The professor also added that the exploit could be scaled up to track millions of Waze users in real-time using “just a handful of servers”. In theory, the exploit could also allow a hacker to tap into the Waze system and download the driving history of all users. Fortunately, a Waze spokesperson confirmed that the company is examining the issue and is taking steps to protect user privacy. Meanwhile, until a fix will be devised by Waze, users can avoid being tracked by enabling invisible mode whenever they launch the application.