Waze App: The Road to Stalking Drivers

Written by

University of California - Santa Barbara researchers have discovered a vulnerability in Waze that allows hackers to track drivers.

The popular directions app uses crowd-sourced information to warn drivers about traffic congestion, construction, accidents, weather-related information and other issues—and then suggests the fastest route around the obstacles. Waze also shows users the other drivers that are in close proximity to them, and their GPS locations. The City of Los Angeles also has a special relationship with the app, as it imports Waze data to use in their own city planning and logistics analysis.

The researchers found [PDF] that once a Waze user was identified, they were able to create and use “ghost riders” to echo the GPS location of the person they wanted to stalk, enabling the ability to virtually follow the victim around, reporting back their GPS locations.

It’s essentially a man in the middle attack: Waze’s servers communicate with phones using an SSL encrypted connection; but the researchers discovered they could intercept that communication, reverse-engineer the Waze protocol, and write a program that issues commands directly to Waze servers.

One silver-lining caveat—after a recent update, the Waze app only broadcasts GPS data when being actively used, not while it’s running in the background, as was the case previously.

The research raises interesting themes around the security of social media applications, according to Deral Heiland, research lead at Rapid7.

“This research points out a common concern related to all social media: if we are willing to share personal data—and in this case GPS location—the possibility of that data being abused exists,” he pointed out, via email.

He added that while the privacy implications are huge, there are future ramifications to consider as well.

“The researchers were successful in creating hundreds of fake Waze users, which they use to make it appear that there was a traffic jam,” he said. “If such data is widely used and trusted, an attacker could leverage it to manipulate traffic patterns. Currently I find this a low risk, but in thinking about the expanding world of automation, and specifically autonomous vehicles, there could be a significant impact over time.”

Photo © Oleksiy Mark

What’s hot on Infosecurity Magazine?