You Would be Giving open Invitation to Hackers for Following you by Using Waze.
Waze is a well-known and widely used navigation app developed and owned by Google. It is in use by literally millions of drivers because it helps in identifying the most appropriate, safe, and fastest route to any destination. However, according to the latest research (Pdf) by the University of California-Santa Barbara people relying upon this app for navigational purposes might be at the risk of being stalked by malicious actors.
There is a vulnerability in Waze that makes it dangerous for users because this weakness lets the app create thousands of “ghost drivers,” which can be used to keep track of the drivers and also potentially cause harm to Waze users. This tracking occurs in real-time and according to the university’s computer science professor Ben Zhao, the leader of the research team, this is a “massive privacy problem.” Professor Zhao personally tested this vulnerability for three consecutive days and identified that he was able to track his movements around Las Vegas.
But how does it happen? Let us tell you in detail. The servers through which Waze operates can communicate with phones through an SSL encrypted connection. This is more like a security measure because it ensures that Waze computers are communicating with the Waze app installed on the user’s smartphone.
As per the findings of Professor Zhao and his teammates, which comprised of his graduate students, they were able to intercept this particular communication by enabling the phone to accept their computer as a middle-man between the ongoing connections. When this is done and the phone-Waze servers’ connection is intercepted, Waze protocol is reverse-engineered and this helps in learning the language used by the app to communicate with back end app servers.
When this particular piece of information is acquired, a program can be easily written to issue commands directly to the servers of the app. In this fashion, the researchers were able to populate the app’s system with “ghost cars.” Ghost cars refer to cars that can create fake traffic jams given the fact that this is a social app where locations are broadcast by drivers and drivers are monitored in real-time.
We can say that this sort of attack is quite similar to the one conducted two years ago by students from Israeli University. In that experiment, the students used emulators to transmit traffic bots into this app and they managed to create a fake traffic jam. The emulator pretended to be a smartphone but in that particular experiment, the researchers could only produce a few fake vehicles into the Waze system.
In the current study, however, the new technique used by the UC-Santa Barbara team is much more effective and extensive in its scope. It can run scripts on any given laptop and thus, create thousands of invisible vehicles by exploiting the Waze system. These vehicles can later be sent into various grids present on a map and conduct full surveillance of any location.