California-based computer researchers have exposed a security lapse in the popular Israeli navigation app Waze allowing hackers to use crerate "ghost cars" capable of creating fake traffic jams and tracking real users.
"It’s such a massive privacy problem," University of California-Santa Barbara computer science professor Ben Zhao told the website Fusion on Tuesday.
"Anyone could be doing this right now. It’s really hard to detect," he added.
Developed by an Israeli tech start-up in 2008, Waze provides road navigation instructions, including traffic conditions and road hazards, to an estimated 50 million users around the world. The app was sold to Google in 2013 for $1.1 billion.
Zhao and his team were able to intercept the connection between Waze servers and SSL encrypted connections to users' smartphones, intended to ensure the servers are communicating directly with a real phone.
Acting as a go-between, the team was able to learn the code Waze uses to communicate with users' smartphones and write a program capable of giving commands directly to Waze servers, allowing them to populate it with "ghost cars."
Zhao and his researchers tested the hack on a member of their own team, following him as he drove around Los Angeles.
"He drove 20 to 30 miles and we were able to track his location almost the whole time," Zhao told Fusion. "He stopped at gas stations and a hotel."
Zhao speculated that the hack could be used to download and publicize the activity of drivers, revealing who had been where and when.
"You could scale up to real-time tracking of millions of users with just a handful of servers," Zhao noted. "If I wanted to, I could easily crawl all of the US in real time. I have 50-100 servers, and could get more...and then I could track all of the drivers."
Zhao's team began investigating the app's vulnerability in 2014. They informed the security team at Google about the potential secutrity breach, and published a report on their findings last year.
"Waze constantly improves its mechanisms and tools to prevent abuse and misuse. To that end, Waze is regularly in contact with the security and privacy research community - we appreciate their help protecting our users," a Waze spokesperson said in an emailed statement to Fusion.
"This group of researchers connected with us in 2014, and we have already addressed some of their claims, implementing safeguards in our system to protect the privacy of our users," it added.
The Waze team released an update in January of this year which prevents the app from broadcasting your location when running in the background to prevent abuse of the loophole discovered by Zhao's team. Waze described the update as an energy-saving feature.
Waze says it also released new 'cloaking features,' meant to display a user's location "from time to time within the Waze application," and therefore "does not represent such user’s actual, real time location."
Zhao's team, however, proved they were able to track users in real-time despite the measures. The hack did not work on users who chose to "go invisible," disabling the app's social networking features.
Zhao says the breach represents a larger problem that would not be solved so simply.
"Not being able to separate a real device from a [hacking] program is a larger problem,” said Zhao. "It’s not cheap and it’s not easy to solve."
A Waze spokesperson told Fusion that "the company is examining the new issue raised by the researchers and will continue to take the necessary steps to protect the privacy of our users."
Zhao's hack is not the first demonstration of Waze's vulnerabilities. In 2014, Israeli students Shir Yadid and Meital Ben-Sinai from the Technion, Israel’s Institute of Technology were similarily able to hack into Waze servers and create fake traffic jams.
(Staff with agencies)