Vulnerability allows real-time tracking of 50 million Waze nav app users

Hit the brakes!

Vulnerability allows for real-time tracking of all 50 million Waze users

A vulnerability could allow attackers to track in real-time the movements of all 50 million Waze users.

Waze is a “community-based traffic and navigation app” available for Android, iPhone, and Windows Phone. It enables drivers to share traffic and road information with one another, including alerts on police stops, accidents, constructions, hazards, and traffic jams.

Waze then analyzes that data for local users and plots out an optimal path for their daily commutes that will consume the least amount of time and gas.


Sounds nifty, right? It is… but only to an extent.

Researchers at the University of California-Santa Barbara have discovered a vulnerability that would effectively allow a hacker to track the movements of any of Waze’s 50 million users.

Specifically, they found they could set up an HTTPS proxy man-in-the-middle (MitM) to intercept all communication between a user’s phone and Waze’s servers, which talk with each Waze client via SSL.

With that setup in place, the researchers found they could reverse engineer the app’s communication protocols and use that knowledge to issue commands directly to Waze’s servers.

Here’s where it gets interesting.

The team discovered a way to populate the system with thousands of “ghost cars” - which are not the same as Uber’s “phantom riders” - to create fake traffic jams that would reroute users unnecessarily or to monitor their every move.

Jam attack

It’s such a massive privacy problem,” Ben Zhao, professor of computer science at UC-Santa Barbara and leader of the research team, told Fusion.

To test their discovery, which is explained at length in a technical paper, Zhao and his graduate students tried to track a member of their team and Fusion journalist Kashmir Hill.

Both tests proved successful. The team tracked their consenting researcher guinea pig for 20-30 miles, and they knew when he stopped at gas stations and a hotel. As for Hill, they were able to track her movements when she took a taxi to downtown Las Vegas and when she was commuting on a bus in San Francisco.

Tracking Waze users

It’s important to note the hack does have its limitations. The researchers could track Hill only while she was in a vehicle, for example, and they lost sight of her when she entered the subway. Additionally, for the hack to work, Waze must be actively running on a target’s phone and cannot just be running in the background.

Even so, Zhao still feels the hack poses a significant danger to users - not only of Waze but other apps, as well:

This is bigger than Waze. With a [dating app], you could flood an area with your own profile or robot profiles and basically ruin it for your area. We looked at a bunch of different apps and nearly all of them had this near-catastrophic vulnerability.”

Waze is currently investigating the issue. In the meantime, all users of Waze might want to consider setting their app to invisible mode so that they don’t broadcast their information. They will need to set Waze to this setting every time they turn on their phone.

It remains to be seen whether this attack definitely threatens other apps. As a general rule of thumb, however, it’s a good idea to disable location-sharing on all mobile devices.


Tags: , ,

   Join thousands of others and sign up to our free "GCHQ" newsletter.

Smashing Security podcast
Check out "Smashing Security", the award-winning weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"It's brilliant!" • "Three people having fun in an industry often focused on bad news" • Winner of the Best Security Podcast 2018

Latest episodes:
Listen on Apple Podcasts Listen on Google Podcasts

, ,

One Response

  1. Yor Welcome

    April 30, 2016 at 12:14 am #

    negative, incorrect. just more academia scare tactics and speculations about something they usually know nothing about but they’re happy to tell you anyway.

    read the story

    Yor Welcome

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.