Security breach in Israeli-made Waze lets hackers stalk users
search

Security breach in Israeli-made Waze lets hackers stalk users

California university researchers find method to flood crowdsourced navigation system with thousands of nefarious 'ghost cars'

Stuart Winer is a breaking news editor at The Times of Israel.

Screen capture of a Waze video clip illustrating the thinking behind the application. (photo credit: Waze/YouTube)
Screen capture of a Waze video clip illustrating the thinking behind the application. (photo credit: Waze/YouTube)

Computer researchers in the US have demonstrated a way of breaching the globally popular Waze road navigation application that allows hackers to track users’ movements or even create fake traffic jams.

Ben Zhao, professor of computer science at University of California-Santa Barbara, was along with his research team able to use the method to create thousands of “ghost cars” in Waze’s system, which could then be used to monitor genuine users, the Fusion website reported Tuesday.

“Anyone could be doing this [tracking of Waze users] right now,” Zhao said. “It’s really hard to detect.”

Created in Israel in 2008 and sold to Google in 2013 for $1.1 billion, Waze provides navigation instructions to drivers that include traffic conditions and road hazards, and has an estimated 50 million users around the world.

Waze at work in Menlo Park, California (photo credit: AP/Paul Sakuma)
Waze at work in Menlo Park, California (AP/Paul Sakuma)

The researchers began their hack by intercepting the transmission that Waze servers use to communicate with users. The Waze servers employ an SSL encryption to communicate with cellphones — a security precaution intended to verify that the servers are communicating with a real phone. By diverting a cellphone running Waze and making it communicate directly with their own computers, researchers were able to reverse-engineer the coding Waze uses to communicate with users’ phones.

Armed with the code, Zhao and his team wrote software that could send instructions to the Waze servers filling the system with virtual “ghost cars” which could be used to create a fake traffic jam — or monitor real drivers located around the virtual vehicles.

As a social networking app, Waze relies on users sharing information such as location and username with other drivers to build up a picture of traffic conditions. The ghost cars were used to gather data from real users enabling tracking of their movements.

Researchers demonstrated the tracking method on one of their own team as well as on a Fusion reporter. They also created a fake traffic jam on a quiet Texas back road in the dead of night, to prove that it could be done but without interfering with users.

“You could scale up to real-time tracking of millions of users with just a handful of servers,” Zhao noted. “If I wanted to, I could easily crawl all of the US in real time. I have 50-100 servers, and could get more from [Amazon Web Services] and then I could track all of the drivers.”

The team, which began testing their theory in the spring of 2014, warned Waze later that year and published their findings in 2015. In January, Waze issued an update of the application which included new cloaking measures but the researchers found they were still able to track users. Nonetheless, Waze users who choose the option of going “invisible” are not vulnerable to the hack.

“It’s such a massive privacy problem,” Zhao said.

Waze co-founder Uri Levine at a Jerusalem conference in May 2013 (photo credit: Flash90)
Waze co-founder Uri Levine at a Jerusalem conference in May 2013 (Flash90)

The hack is similar to one carried out by a pair of Israeli students two years ago when they managed to create fake traffic jams, but gave researchers much more powerful options for manipulating the Waze system.

Fusion speculated that hackers could use the breach to download the activity of drivers who use the app and then make the information public, revealing who had been where and when.

“We needed to get this information out there,” Zhao said. “Sitting around and not telling the public and the users isn’t an option. They could be tracked right now and never know it.”

Zhao warned that the same method could also be used on other social networking apps, and expressed the opinion that plugging the breach would not be a simple task.

“Not being able to separate a real device from a [hacking] program is a larger problem,” said Zhao. “It’s not cheap and it’s not easy to solve.”

A Waze spokesperson told Fusion that, “The company is examining the new issue raised by the researchers and will continue to take the necessary steps to protect the privacy of our users.”

The company is “examining the new issue raised by the researchers and will continue to take the necessary steps to protect the privacy of our users,” the spokesperson added.

In 2014 Israeli students Shir Yadid and Meital Ben-Sinai from the Technion, Israel’s Institute of Technology, demonstrated a method of hacking into Waze and tricking the system to show fake traffic jams. The Israeli researchers also notified Waze of the method at the time.

read more:
comments