The trick that let hackers keep tracking Waze users after it was ‘fixed’

By Kashmir Hill | June 8, 2016 | 5:38pm

Latest

Earlier this year, Fusion reported that hackers had found a way to track the movements of people using Google’s navigation app Waze. Because of the social nature of the app, which shows you other Waze drivers on the road, a clever attacker can collect information about other drivers’ whereabouts. A team of grad students led by University of California-Santa Barbara professor Ben Zhao proved this was possible by stalking me (with my permission, of course).

After the story came out in April, Waze issued a defensive blog post that implied that the team had only been able to track me because I had given them my Waze username and the starting location of my trips. It also announced it had come up with a fix to prevent its users from being tracked.

Most Popular

So I went back to Zhao and his grad students to ask if the fix worked. It didn’t.

Zhao and the students were able to see what Waze had done. For older versions of the app, it had turned off social elements, so users could no longer see one another, making the spying impossible. For the newest version of the app, Waze had turned off the broadcasting of users’ nicknames to one another (unless they’re friends) and stopped collecting information about the very beginning of someone’s trip and the very end (so that you couldn’t put a tracker on someone’s house and see when they left). It has also obfuscated the communication between a user’s device and Waze’s back-end servers, so that an attacker wouldn’t be able to make their program talk to Waze’s servers. But all of this was for naught: grad student Bolun Wang was able to decode the obfuscated communication in just a day. (Waze should probably think about hiring him.)

Despite the Waze updates, the team was able to once again make their software talk to Waze’s back-end servers and fill the app with ghost cars that could track other users. They could still track me with disturbing accuracy, for example, during this trip in May:

The team also attempted to track two of my colleagues in Miami who use Waze. One was trackable and the other, who was using an older version of Waze, was not.

I reached out to Waze’s communications team last month to let them know that users could still be tracked. They were flummoxed and asked to be put in touch with the researchers. (Finally.)

At that point, Zhao began to communicate directly via email with a VP of Operations for Waze in Israel, where the company is based. Without nicknames and without being able to see exactly where a trip started, he was flabbergasted that the researchers were still able to track users.

“He was really paranoid and didn’t understand how we were still able to do this,” Zhao said.

“The thing is,” Zhao continued, “we always tracked users with the creation time of their accounts, never with the nicknames.”

Zhao and his team were still able to track me because of an aspect of Waze’s design that its creators had overlooked when coming up with a fix. A user’s nickname wasn’t the only thing that could identify them in the app: Waze was also broadcasting other features associated with their account, such as their driving speed and the exact time they created their account, down to the second.

“It was gratuitous and unnecessary, and acted as a unique identifier,” said Zhao.

After it realized what was happening, Zhao said, Waze replaced the creation time with a randomly repeating number.

So thanks to a lot of hard work from a group of computer science grad students and their professor, we can now all use the app with the assurance that our movements won’t be tracked by someone who might mean us harm. (Usually a company would pay a significant amount of money for this kind of penetration testing.)

“It’s rare we get to interface with a big company this way and force change,” said Zhao, who was pleased at the outcome. “I was expecting a cease-and-desist from a lawyer. So by comparison, this went really well.”

* Additional reporting by Rob Wile and Danny Rivero.