Millions Of Waze Users Can Have Their Movements Tracked By Hackers

An anonymous reader quotes a report from Fusion: Researchers at the University of California-Santa Barbara recently discovered a Waze vulnerability that allowed them to create thousands of "ghost drivers" that can monitor the drivers around them -- an exploit that could be used to track Waze users in real-time. Here's how the exploit works. Waze's servers communicate with phones using an SSL encrypted connection, a security precaution meant to ensure that Waze's computers are really talking to a Waze app on someone's smartphone. Zhao and his graduate students discovered they could intercept that communication by getting the phone to accept their own computer as a go-between in the connection. Once in between the phone and the Waze servers, they could reverse-engineer the Waze protocol, learning the language that the Waze app uses to talk to Waze's back-end app servers. With that knowledge in hand, the team was able to write a program that issued commands directly to Waze servers, allowing the researchers to populate the Waze system with thousands of "ghost cars" -- cars that could cause a fake traffic jam or, because Waze is a social app where drivers broadcast their locations, monitor all the drivers around them. You can read the full paper detailing the researchers' findings here. Is there a solution to not being tracked? Yes. If you're a Waze user, you can set the app to invisible mode. However, Waze turns off invisible mode every time you restart the app so beware.

From the Waze help page on invisible mode.

[techvet]

"You can switch to invisible mode at any time, which means for that specific drive: (1) you will appear as offline to your friends; (2) your Waze icon will show on the map; (3) you will not be able to send reports, add/edit places, or send messages to friends and other Wazers." #2 doesn't make any sense to me. Do I need Ron Weasley to snag me the invisibility cloak?

Broken by design

This wouldn't be a problem if the app wasn't designed to track your whereabouts and broadcast them. I'm not sure I have much sympathy for anyone using the app who is surprised by this, since tracking you and sending your info to others is the app's stated purpose.

Re: Broken by design

And that's a price I'm willing to pay if it means I can use the absolute best car navigation tool on the planet. It has saved me dozens of hours of time in traffic. I use it even when I know exactly where I am going because in Houston, you never know where the horrendous car accident which shuts down 3 lanes for an hour is going to be.

Re: Broken by design

Waze isn't much help with accidents on account of the way they average traffic speeds over a 30-minute period. That means for the first 15 minutes after a major accident Waze will happily route you right into the backup, using you as a Guinea pig to get travel times for other Waze users. It's also pretty useless for long commutes in areas with heavy rush hour traffic because it estimates ETA and calculates routes at the beginning of your drive and doesn't account for traffic building up near the destination while you are making your way there. It does not take into account historical traffic patterns for time of day and day of the week. By the time you get to the end of your commute traffic conditions will likely be much worse than Waze had estimated, and Waze will have sent you on a route that is far from optimal. When I let Waze choose my route the ETA is consistently about 15-25% longer than Waze estimates. Worse still are all the undocumented tweaks behind the scenes that Waze applies to discourage using side streets, etc.

The bottom line is that if you think Waze is a route-agnostic algorithm that just gives you the raw, shortest route, you are incorrect. Waze is great for traveling in a new area where you may not be familiar with the traffic patterns, but an experienced driver can beat Waze any day.

Re: Broken by design

It is of little to no help in Austin, especially when compared to a local traffic service that watches roads and can show bottlenecks on a webpage.

The app demands to know where you are 24/7, even when not using the app, and it wants you to identify yourself. Why should I allow an unknown third party to have knowledge of where I am at all times, with permission (as per the EULA) where that info can be handed/sold to anyone that Waze so pleases? I'm gaining little to no benefit for this.

There are too many intrusive companies. One has to see if it is worth it or not and if being spied on 24/7 is not worth it, you have to have the intelligence to kick the crap to the curb.

What?

Okay, someone at their IRB failed to run this by their legal department.

Because you really should not be committing a felony during your research. https://www.law.cornell.edu/uscode/text/18/1030

Re:What?

[AK+Marc]

What's the issue. They reverse engineered a protocol, then emulated thousands of users. I saw nothing in the law that prevents emulating a user. They essentially accessed Waze using an API. It's just that the publicly accessible API wasn't expected to be used. And like most data, 1000x innocent data becomes something creepy. Like walking on the sidewalk isn't creepy, but walking past the same house 1000 times is.

The Italian job, anyone?

[spongman]

You're only supposed to blow the bloody doors off!

Federal Law

What's the issue. They reverse engineered a protocol, then emulated thousands of users. I saw nothing in the law that prevents emulating a user. They essentially accessed Waze using an API. It's just that the publicly accessible API wasn't expected to be used. And like most data, 1000x innocent data becomes something creepy. Like walking on the sidewalk isn't creepy, but walking past the same house 1000 times is.

Exceeding authorized access to a machine used in interstate commerce.

Re: Federal Law

Err. Waze is non commercial in nature. It is a navigation app, not a commercial app selling or buying stuff

Re:Federal Law

[AK+Marc]

There is no authorization, so unauthorized access is everyone, including regular users of the app.

Re:Federal Law

[karmatic]

The CFAA limits itself to protected computers, which largely applies to government, but does have a section for "knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access".

There was no intent to defraud here.

Alternatively, there is another section,

"knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;
(B) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or
(C) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss."

There was no damage to the computer here, nor loss.

"knowingly and with intent to defraud traffics (as defined in section 1029) in any password or similar information "

There was no trafficing in access codes.

"with intent to extort from any person any money or other thing of value"

There was no intent to extort.

Hackers usually get caught for fraud or extortion. Sometimes, they get "without authorization", but that applies mainly to government computers, bank computers, or things deemed important to national security. Damage works too, but that's more rare.

As an example, the guy who hacked AT&T picked a lot of the wrong data to grab.

According to authorities, they obtained the ICC-ID and e-mail address for about 120,000 iPad users, including dozens of elite iPad early adopters such as New York Mayor Michael Bloomberg, then-White House Chief of Staff Rahm Emanuel, anchorwoman Diane Sawyer of ABC News, New York Times CEO Janet Robinson and Col. William Eldredge, commander of the 28th Operations Group at Ellsworth Air Force Base in South Dakota, as well as dozens of people at NASA, the Justice Department, the Defense Department, the Department of Homeland Security and other government offices.

He also bragged about dropping AT&T's stock price, and using it to pump his security company's brand. He was convicted of fraud, and had previously been quoted as saying "I hack, I ruin, I make piles of money. I make people afraid for their lives.". He was in New Jersey, and exceeded access in furtherance of a tortious act. He was found guilty of conspiracy, the objects of which were "to cause monetary and reputational damage to AT&T and to create monetary and reputuational benefits for themselves".

These guys, as researchers, are not in the same league at all.

Re: Federal Law

[DrXym]

Waze is absolutely commercial in nature. Users might get to use it for free but they are giving up valuable information in return - where they drive, where they live, where they work, what hours of the day they drive, what hotels, stores and supermarkets they visit or pass by, where they fill up, traffic conditions and more besides. Waze could even make strong inferences about a person's lifestyle, job and character by how they drive, places they've visit and their susceptibility to change routes if the app tells them to.

These are all things the service can and do monetize.

I'm also sure that's just one avenue of monetization. Local government would probably pay money for that data in some processed form to work out where people speed the most, or where delays occur at times of the day and so on. And it probably feeds into Google's self-driving vehicle projects and other mapping related functionality. And simply by people using Waze they're denying the information to a competitors and thus increasing its value.

So yes it's commercial in nature. Waze users get a free satnav app but its one that monitors and monetizes them.

Re: Federal Law

[jafiwam]

Err. Waze is non commercial in nature. It is a navigation app, not a commercial app selling or buying stuff

Uhnm... ads? Locations on the map, plus pop-ups at traffic stops.

Re:Slashdot is alarmist

[Motherfucking+Shit]

There are lots of stories about how the government is supposedly taking away our freedoms and a police state is coming. That police state hasn't happened.

Last year in America, the police stole^Wconfiscated more money and belongings from citizens through civil forfeiture than burglars stole. America has secret courts issuing secret warrants and serving secret orders that no one is allowed to talk about. Police are driving around using secret equipment to intercept cellphone calls and text messages, demonstrably without warrants. Cops in Chicago arrest and "disappear" citizens into a black hole of a dungeon facility called Homan Square, without even their lawyers being told where they are.

If you don't see the police state, you simply aren't fucking looking.

They run lots of stories about how Microsoft is tracking people and doing bad things with data collected through telemetry. That hasn't happened.

How do you know? None of us have any idea what Microsoft is doing with that data.

Tell me..

Why don't apps encrypt communications before sending?

Solution to not being tracked?

[Rosco+P.+Coltrane]

Easy answer: use an offline satnav app.

How hard can it be? Everybody and their dogs know Waze is a user profiler / tracker disguised as a useful app - like all Google products.

In fact. If you're worried about being tracked, don't use Google products. People should be more worried about what Google learns about them through Waze than what any potential hackers of that system could.

Re:Solution to not being tracked?

[110010001000]

Really? The point of Waze is not navigation. It is real time alerts on the presence of police, traffic, disabled vehicles, etc.

Re:Solution to not being tracked?

[jratcliffe]

I would argue that the point of Waze IS navigation, optimized for real-time conditions.

Meanwhile, in other news...

[Pope+Raymond+Lama]

Millions of Waze users can have their movements tracked by other Waze users #noissuethere

(The protocol reverse engineer and the ability to spoof extra cars are news worthy, I'd guess - but the headline is completely pointless)

Re: Meanwhile, in other news...

Isn't it more important that we can create fake traffic. Jams on the route we want to drive?

Re:Slashdot is alarmist

The police state doesn't need this exploit.

They just have to go to Google with the appropriate paperwork/goons and say, here are a few portable drives, give us all you have on people on this list from this date to this date.

When the sheep stay well within their holding areas (Taylor Swift, Kardashians, Conspiracy Nut Job sites, Facebook) and don't make a big fuss about the few that do disappear, there's really no need for the wolves to do anything.

Man in the middle

[pcjunky]

Nothing really new here. Many things are possible if you can insert yourself in the data stream. But without breaking into data centers how are you going to do this?

Re:Man in the middle

Nothing really new here. Many things are possible if you can insert yourself in the data stream. But without breaking into data centers how are you going to do this?

You do it the way they did it, what's your point?

Re:Man in the middle

[Macdude]

Exactly, the real story here:

Google too stupid to prevent man-in-the-middle attack on Waze.

Re:Slashdot is alarmist

nice try government shill

captcha: parasite

Basically an alternative client

Client app should sign messages with private key. But then the app should be securely stored on the phone, which is not the case with Android. So it is like an alternative YouTube client, the only way to stop it, is to change the protocol from time to time.

Re: Basically an alternative client

If you stop it then why keep changing the protocol?
Oh, because you can't stop it.

Headline correction

[wonkey_monkey]

Millions Of Waze Users Can Haz Their Movements Tracked By Hackers

Wrong

You're citing (a)(3). Look at (a)(2)(C), which does not require intent to defraud. Protected computers include computers used in or affecting interstate commerce, which means basically any computer.

Re: Wrong

Basically any computer. Except Waze's, because they do no and affect no interstate commerce.

Re: Wrong

I would suggest that you review Wickard v. Filburn, then come back and apologize for your ignorance.

Oh no

[110010001000]

Oh no...someone could track WazeUser83840 using an application that is meant to track their location. I found another hack: you can use Find my iPhone to find someones iPhone. The horror!

Re: Oh no

It's only a few more steps to do worse things. Like all those ghost cars could say they are in a traffic jam where there isn't one and now nobody is getting on the road you want clear when you rob a bank or some shit.
Or where there is a traffic jam you could get the fake cars to just go through it like normal and everyone is directed into the jam.

Same millenials who don't support capitalism

Are the ones using this app, and not caring that they're tracked by Waze or by the bad guys.

At least I'll be dead in 40 years, the rest of you and your kids can all suck it.

Read the user agreement

I wanted to download and use Waze just because the police were complaining about it. Then I started reading the user agreement and decided not to. Waze demands access to basically everything on your phone. OK, I see that it needs location data, but why the hell does it demand access to the microphone, camera, text messages, contact list and other stored data? Why does it need to link to your social network accounts and collect data that you share through FB?

If you grant an app, or worse, numerous apps, permission to access anything and everything on your phone, you're just asking to be hacked.

Would you grant every random piece of 3rd party software on your computer access to all of your data and devices? Hell no.

Re:Read the user agreement

[Scoth]

It can do voice commands, which requires the microphone. You can post pictures of accidents, traffic, etc which requires the camera. You can send notifications about arrival times and traffic jams to contacts via SMS and various social media platforms, and it can use those platforms to link up friends as well as post the arrival check-ins that people find popular. One of the issues of Android permissions is it's tricky to know exactly what they plan on doing with the access once they get it. An app may want access to Facebook solely to pull a friends list and bounce it off their userlist and friend up matches (a feature lots of people like), or it may spam up your feed with junk from itself.

You can argue the motivations and necessity of those, but there are legitimate features linked to the permissions. Up to you to decide whether or not you want to give up that info.

Re:Read the user agreement

Not saying I agree with it demanding all these permissions, and I've since gone back and revoked/disabled everything I could:

Microphone - hands-free submission of reports (police, traffic, etc). Can't have people touching their phones while driving.
Camera - Take a picture of your destination, since it's a social media app
text messages - Ok, you got me here.
contact list - Find other people in your address book that use Waze. For friends all going to the same destination from different starting points, it's kind of nice to see everyone's progress.
social network accounts - find other people in your address book that use Waze

Re: Read the user agreement

Sounds like a worm to me.

Spoiler Alert

[mschoolbus]

Spoiler: I go to work. Later, I go home.

Iditoic myopic researchers.

[140Mandak262Jamuna]

They found a way to populate the Waze with hundreds of fake cars and create a ghost traffic jam. They could easily use this method to clear a path in any city anytime. They could create a derivative app that will let the users clear a way and sell it at a much higher price. Instead, they went ahead and babbled all over the world. Now a good opportunity to earn some serious money is lost for ever for every one.

Lose lips sink ships. Hacking boast, dollars lost.

But that's the POINT of Waze

[T.E.D.]

I thought the whole point of Waze was that you could see where other drivers (including perhaps certain people you want to track) are. It puts an icon representing you on the road (with your choice of avatar) for others to see. It doesn't exactly take mad haxxor skillz to track someone with Waze, it just takes an account.

If you only want a single big company to track you, that's what Google Maps is for.

Re:But that's the POINT of Waze

[Webs+101]

The positions of the Waze icons aren't live. They are delayed a few minutes for a bit of privacy from other users.

Re:But that's the POINT of Waze

[RayHs]

Um, isn't Waze owned by Google?

Re:Slashdot is alarmist

[bill_mcgonigle]

That police state hasn't happened.

Aside from Waze streaming all of its users' position updates to the NSA via its Israel office, right?

Nobody reads the Terms of Service anymore.

SSL Certificate Pinning

[Athanasius]

So, Waze need to have the app properly implement SSL Certificate Pinning (in order to prevent a MITM SSL proxy that works via an additional Certificate Authority). Of course then it's likely still vulnerable to some reverse engineering of the app to get around that.

Re:SSL Certificate Pinning

I do not think that means what you think it means.

Waze users are not live

Waze does not place user icons on the map as live updates. They are time delayed so that WazeUser1 cannot pinpoint the location of WazeUser2 at any given moment.

The hack may be able to see through that obfuscation, but the unadulterated Waze does implement that delay to ensure some degree of privacy.

Re:Slashdot is alarmist

If you don't see the police state, you simply aren't fucking paranoid enough.

Hack away

I'll save them the trouble.. Monday through Friday I drive to work in the morning then back home in the evening and on Satuday and\or Sunday I go to the grocery store with an occasional stop at a hardware store. BFD.

Re:Remember, only apps can app apps!

In China only luddites use apps.