Millions of drivers use Waze, a Google-owned navigation app, to find the best, fastest route from point A to point B. And according to a new study, all of those people run the risk of having their movements tracked by hackers.
Researchers at the University of California-Santa Barbara recently discovered a Waze vulnerability that allowed them to create thousands of "ghost drivers" that can monitor the drivers around them—an exploit that could be used to track Waze users in real-time. They proved it to me by tracking my own movements around San Francisco and Las Vegas over a three-day period.
"It's such a massive privacy problem," said Ben Zhao, professor of computer science at UC-Santa Barbara, who led the research team.
Here's how the exploit works. Waze's servers communicate with phones using an SSL encrypted connection, a security precaution meant to ensure that Waze's computers are really talking to a Waze app on someone's smartphone. Zhao and his graduate students discovered they could intercept that communication by getting the phone to accept their own computer as a go-between in the connection. Once in between the phone and the Waze servers, they could reverse-engineer the Waze protocol, learning the language that the Waze app uses to talk to Waze's back-end app servers. With that knowledge in hand, the team was able to write a program that issued commands directly to Waze servers, allowing the researchers to populate the Waze system with thousands of "ghost cars"—cars that could cause a fake traffic jam or, because Waze is a social app where drivers broadcast their locations, monitor all the drivers around them.
The attack is similar to one conducted by Israeli university students two years ago, who used emulators to send traffic bots into Waze and create the appearance of a traffic jam. But an emulator, which pretends to be a phone, can only create the appearance of a few vehicles in the Waze system. The UC-Santa Barbara team, on the other hand, could run scripts on a laptop that created thousands of virtual vehicles in the Waze system that can be sent into multiple grids on a map for complete surveillance of a given area.
In a test of the discovery, Zhao and his graduate students tried the hack on a member of their team (with his permission).
"He drove 20 to 30 miles and we were able to track his location almost the whole time," Zhao told me. "He stopped at gas stations and a hotel."
Last week, I tested the Waze vulnerability myself, to see how successfully the UC-Santa Barbara team could track me over a three-day period. I told them I'd be in Las Vegas and San Francisco, and where I was staying—the kind of information a snoopy stalker might know about someone he or she wanted to track. Then, their ghost army tried to keep tabs on where I went.
The researchers caught my movements on three occasions, including when I took a taxi to downtown Las Vegas for dinner:
And they caught me commuting to work on the bus in San Francisco. (Though they lost me when I went underground to take the subway.)
The security researchers were only able to track me while I was in a vehicle with Waze running in the foreground of my smartphone. Previously, they could track someone even if Waze was just running in the background of the phone. Waze, an Israeli start-up, was purchased by Google in 2013 for $1.1 billion. Zhao informed the security team at Google about the problem and made a version of the paper about their findings public last year. An update to the app in January of this year prevents it from broadcasting your location when the app is running in the background, an update that Waze described as an energy-saving feature. (So update your Waze app if you haven't done so recently!)
“Waze constantly improves its mechanisms and tools to prevent abuse and misuse. To that end, Waze is regularly in contact with the security and privacy research community—we appreciate their help protecting our users," said a Waze spokesperson in an emailed statement. "This group of researchers connected with us in 2014, and we have already addressed some of their claims, implementing safeguards in our system to protect the privacy of our users."
The spokesperson said that "the concept of Waze is that we all work together to share information and impact the world around us" and that "users expect to offer certain information about their route in exchange for unparalleled navigation assistance." Among the safeguards deployed by Waze is a "system of cloaking" so that a user's location as displayed "from time to time within the Waze application does not represent such user’s actual, real time location."
But those safeguards did not prevent real-time tracking in my case. The researchers sent me their tracking minutes after my trips, with accurate time stamps for each of my locations, meaning this cloaking system doesn't seem to work very well.
"Anyone could be doing this [tracking of Waze users] right now," said Zhao. "It's really hard to detect."
Part of what allowed the researchers to track me so closely is the social nature of Waze and the fact that the app is designed to share users' geolocation information with each other. The app shows you other Waze drivers on the road around you, along with their usernames and how fast they're going. (Users can opt of this by going invisible.) When I was in Vegas, the researchers simply populated ghost cars around the hotel I was staying at that were programmed to follow me once I was spotted.
"You could scale up to real-time tracking of millions of users with just a handful of servers," Zhao told me. "If I wanted to, I could easily crawl all of the U.S. in real time. I have 50-100 servers, and could get more from [Amazon Web Services] and then I could track all of the drivers."
Theoretically, a hacker could use this technique to go into the Waze system and download the activity of all the drivers using it. If they made the data public like the Ashley Madison hackers did, the public would suddenly have the opportunity to follow the movements of the over 50 million people who use Waze. If you know where someone lives, you would have a good idea of where to start tracking them.
Like the Israeli researchers, Zhao's team was also able to easily create fake traffic jams. They were wary of interfering with real Waze users so they ran their experiments from 2 a.m. to 5 a.m. every night for two weeks, creating the appearance of heavy traffic and an accident on a remote road outside of Baird, Texas.
"No real humans were harmed or even interacted with," said Zhao. They aborted the experiment twice after spotting real world drivers within 10 miles of their ghost traffic jam.
While Zhao defended the team's decision to run the experiment live on Waze's system, he admitted they were "very nervous" about initially making their paper about their findings public. They had approval from their IRB, a university ethics board; took precautions not to interfere with any real users; and notified Google's security team about their findings They are presenting their paper at a conference called MobiSys, which focuses on mobile systems, at the end of June in Singapore.
"We needed to get this information out there," said Zhao. "Sitting around and not telling the public and the users isn't an option. They could be tracked right now and never know it."
"This is bigger than Waze," continued Zhao. The attack could work against any app, said Zhao, turning their servers into an open system that an attacker can mine and manipulate. With Waze, it's a particularly sensitive attack because users' location information is being broadcast and can be downloaded, but the attack on another app would allow hackers to download any information that users broadcast to other users or allow them to flood the app with fake traffic.
"With a [dating app], you could flood an area with your own profile or robot profiles and basically ruin it for your area," said Zhao. "We looked at a bunch of different apps and nearly all of them had this near-catastrophic vulnerability."
The scary part, said Zhao, is that "we don't know how to stop this." He said that servers that interact with apps in general are not as robust against attack as those that are web-facing.
"Not being able to separate a real device from a program is a larger problem," said Zhao. "It's not cheap and it's not easy to solve. Even if Google wanted to do something, it's not trivial for them to solve. But I want them to get this on the radar screen and help try to solve the problem. If they lead and they help, this collective problem will be solved much faster than if they don't."
"Waze is building their platform to be social so that you can track people around you. By definition this is going to be possible," said Jonathan Zdziarski, a smartphone forensic scientist, who reviewed the paper at my request. "The crowd sourced tools that are being used in these types of services definitely have these types of data vulnerabilities."
Zdziarski said there are ways to prevent this kind of abuse, by for example, rate-limiting data requests. Zhao told me his team has been running its experiments since the spring of 2014, and Waze hasn't blocked them, even though they have created the appearance of thousands of Waze users in a short period of time coming from just a few IP addresses.
Waze's spokesperson said the company is "examining the new issue raised by the researchers and will continue to take the necessary steps to protect the privacy of our users.”
In the meantime, if you need to use Waze to get around but are wary of being tracked, you do have one option: set your app to invisible mode. But beware, Waze turns off invisible mode every time you restart the app.
Full paper here.