Waze comes up with a fix for hack that let researchers track users' movements

By Kashmir Hill  |  April 29, 2016 | 4:58pm
Latest

Earlier this week, I reported that a group of researchers at the University of California-Santa Barbara had discovered they could hack Waze by creating thousands of ghost drivers that could both spy on drivers and create fake traffic jams. The researchers proved it to me by tracking my own movements through the app for three days.

After the story came out, Google-owned Waze issued a response on its blog:

The reporter in the article gave her location and username to the research team which greatly simplified the process of deducing sections of her route after the fact by using a system of ghost riders.

That is true. But it was a surprise to me that knowing where I live or where I work would be sufficient information for a hacker to track my movements through Waze. That kind of information about someone isn’t all that hard to obtain.

We appreciate the researchers bringing this to our attention and have implemented safeguards in the past 24 hours to address the vulnerability and prevent ghost riders from affecting system behavior and performing similar tracking activities. None of these activities have occurred in real-time and in real-world environments, without knowing participants.

At least as far as Waze knows.

I checked in with Ben Zhao, the professor at UC-Santa Barbara who led the research team, to ask how these fixes affected his team’s ability to send commands to Waze’s servers.

“It’s cute,” said Zhao of their fix. In an older version of the app, Waze turned off the ability to see other users, said Zhao. In the newest version, Waze encoded the API communication.

“It’s not encrypted, just likely obfuscated,” said Zhao. “Emulators [which mimic phones] will still work fine, but our own scripts won’t.”

Zhao told me by email that it “makes it more difficult (but not impossible) for the common attacker.” He said his team could try to reverse engineer the API encoding, but said that, at this point, they are “fairly happy with the outcome and ready to move on.”

Their whole point in coming up with the attack was to make Waze safer for its users, and they feel that they’ve succeeded.

 
Join the discussion...