University of California researchers proved it is relatively easy to track Waze users in real time and manipulate their movements.
A serious security breach has been discovered in the Google-owned Israeli navigation and traffic monitoring app Waze used by millions of drivers worldwide. It seems that Waze, whose slogan is "Outsmarting Traffic, Together" can be outsmarted by hackers, researchers at the University of California Santa Barbara have found, with serious privacy implications for users and scope for criminal abuse.
The researchers found that hackers can break into users accounts, track the users in real time, issue instructions and provide an inaccurate picture of traffic at any given time. The breach allows hackers to create thousands of accounts or "virtual cars" that can track users in their vicinity in real time and create fake traffic jams. The researchers succeeded in proving this claim over a period of three days with drivers in San Francisco and Los Angeles.
Waze’s servers communicate with phones using an SSL encrypted connection, a security precaution meant to ensure that Waze’s computers are really talking to a Waze app on someone’s smartphone, explains tech website "Fusion."
However, Ben Zhao, professor of computer science at UC-Santa Barbara and his research team discovered they could intercept that communication by getting the phone to accept their own computer as a go-between in the connection. Once in between the phone and the Waze servers, they could reverse-engineer the Waze protocol, learning the language that the Waze app uses to talk to Waze’s back-end app servers. The researchers could then write a program that issued commands directly to Waze servers, letting them fill the Waze system with thousands of “virtual cars” that could cause a fake traffic jam or, because Waze is a social app where drivers broadcast their locations, monitor all the drivers around them.
Having been warned about the breach, Waze updated its app in January, however, it seems that this has not successfully solved the problem. Waze’s spokesperson said, "The company is examining the new issue raised by the researchers and will continue to take the necessary steps to protect the privacy of our users.”
The findings have implications for all crowdsharing apps, although Waze is more sensitive because of its location-based data. In theory, "Fusion" speculates, there could be a massive "Ashley-Madison" style break-in with the entire movements of millions of people downloaded and laid bare on the Internet for those interested to examine.
© Copyright of Globes Publisher Itonut (1983) Ltd. 2021