Slashdot Mirror
Millions Of Waze Users Can Have Their Movements Tracked By Hackers (fusion.net)
An anonymous reader quotes a report from Fusion: Researchers at the University of California-Santa Barbara recently discovered a Waze vulnerability that allowed them to create thousands of "ghost drivers" that can monitor the drivers around them -- an exploit that could be used to track Waze users in real-time. Here's how the exploit works. Waze's servers communicate with phones using an SSL encrypted connection, a security precaution meant to ensure that Waze's computers are really talking to a Waze app on someone's smartphone. Zhao and his graduate students discovered they could intercept that communication by getting the phone to accept their own computer as a go-between in the connection. Once in between the phone and the Waze servers, they could reverse-engineer the Waze protocol, learning the language that the Waze app uses to talk to Waze's back-end app servers. With that knowledge in hand, the team was able to write a program that issued commands directly to Waze servers, allowing the researchers to populate the Waze system with thousands of "ghost cars" -- cars that could cause a fake traffic jam or, because Waze is a social app where drivers broadcast their locations, monitor all the drivers around them. You can read the full paper detailing the researchers' findings here. Is there a solution to not being tracked? Yes. If you're a Waze user, you can set the app to invisible mode. However, Waze turns off invisible mode every time you restart the app so beware.
"You can switch to invisible mode at any time, which means for that specific drive: (1) you will appear as offline to your friends; (2) your Waze icon will show on the map; (3) you will not be able to send reports, add/edit places, or send messages to friends and other Wazers." #2 doesn't make any sense to me. Do I need Ron Weasley to snag me the invisibility cloak?
This wouldn't be a problem if the app wasn't designed to track your whereabouts and broadcast them. I'm not sure I have much sympathy for anyone using the app who is surprised by this, since tracking you and sending your info to others is the app's stated purpose.
Okay, someone at their IRB failed to run this by their legal department.
Because you really should not be committing a felony during your research. https://www.law.cornell.edu/uscode/text/18/1030
You're only supposed to blow the bloody doors off!
There are lots of stories about how the government is supposedly taking away our freedoms and a police state is coming. That police state hasn't happened.
Last year in America, the police stole^Wconfiscated more money and belongings from citizens through civil forfeiture than burglars stole. America has secret courts issuing secret warrants and serving secret orders that no one is allowed to talk about. Police are driving around using secret equipment to intercept cellphone calls and text messages, demonstrably without warrants. Cops in Chicago arrest and "disappear" citizens into a black hole of a dungeon facility called Homan Square, without even their lawyers being told where they are.
If you don't see the police state, you simply aren't fucking looking.
They run lots of stories about how Microsoft is tracking people and doing bad things with data collected through telemetry. That hasn't happened.
How do you know? None of us have any idea what Microsoft is doing with that data.
"BSD: Free as in speech. Linux: Free as in beer. Windows 10: Free as in herpes." --Man On Pink Corner in #52607549.
Easy answer: use an offline satnav app.
How hard can it be? Everybody and their dogs know Waze is a user profiler / tracker disguised as a useful app - like all Google products.
In fact. If you're worried about being tracked, don't use Google products. People should be more worried about what Google learns about them through Waze than what any potential hackers of that system could.
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
Millions of Waze users can have their movements tracked by other Waze users #noissuethere
(The protocol reverse engineer and the ability to spoof extra cars are news worthy, I'd guess - but the headline is completely pointless)
-><- no
Nothing really new here. Many things are possible if you can insert yourself in the data stream. But without breaking into data centers how are you going to do this?
The CFAA limits itself to protected computers, which largely applies to government, but does have a section for "knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access".
There was no intent to defraud here.
Alternatively, there is another section,
"knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;
(B) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or
(C) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss."
There was no damage to the computer here, nor loss.
"knowingly and with intent to defraud traffics (as defined in section 1029) in any password or similar information "
There was no trafficing in access codes.
"with intent to extort from any person any money or other thing of value"
There was no intent to extort.
Hackers usually get caught for fraud or extortion. Sometimes, they get "without authorization", but that applies mainly to government computers, bank computers, or things deemed important to national security. Damage works too, but that's more rare.
As an example, the guy who hacked AT&T picked a lot of the wrong data to grab.
According to authorities, they obtained the ICC-ID and e-mail address for about 120,000 iPad users, including dozens of elite iPad early adopters such as New York Mayor Michael Bloomberg, then-White House Chief of Staff Rahm Emanuel, anchorwoman Diane Sawyer of ABC News, New York Times CEO Janet Robinson and Col. William Eldredge, commander of the 28th Operations Group at Ellsworth Air Force Base in South Dakota, as well as dozens of people at NASA, the Justice Department, the Defense Department, the Department of Homeland Security and other government offices.
He also bragged about dropping AT&T's stock price, and using it to pump his security company's brand. He was convicted of fraud, and had previously been quoted as saying "I hack, I ruin, I make piles of money. I make people afraid for their lives.". He was in New Jersey, and exceeded access in furtherance of a tortious act. He was found guilty of conspiracy, the objects of which were "to cause monetary and reputational damage to AT&T and to create monetary and reputuational benefits for themselves".
These guys, as researchers, are not in the same league at all.
Millions Of Waze Users Can Haz Their Movements Tracked By Hackers
systemd is Roko's Basilisk.
Oh no...someone could track WazeUser83840 using an application that is meant to track their location. I found another hack: you can use Find my iPhone to find someones iPhone. The horror!
These are all things the service can and do monetize.
I'm also sure that's just one avenue of monetization. Local government would probably pay money for that data in some processed form to work out where people speed the most, or where delays occur at times of the day and so on. And it probably feeds into Google's self-driving vehicle projects and other mapping related functionality. And simply by people using Waze they're denying the information to a competitors and thus increasing its value.
So yes it's commercial in nature. Waze users get a free satnav app but its one that monitors and monetizes them.
Spoiler: I go to work. Later, I go home.
Lose lips sink ships. Hacking boast, dollars lost.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
I thought the whole point of Waze was that you could see where other drivers (including perhaps certain people you want to track) are. It puts an icon representing you on the road (with your choice of avatar) for others to see. It doesn't exactly take mad haxxor skillz to track someone with Waze, it just takes an account.
If you only want a single big company to track you, that's what Google Maps is for.
That police state hasn't happened.
Aside from Waze streaming all of its users' position updates to the NSA via its Israel office, right?
Nobody reads the Terms of Service anymore.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
It can do voice commands, which requires the microphone. You can post pictures of accidents, traffic, etc which requires the camera. You can send notifications about arrival times and traffic jams to contacts via SMS and various social media platforms, and it can use those platforms to link up friends as well as post the arrival check-ins that people find popular. One of the issues of Android permissions is it's tricky to know exactly what they plan on doing with the access once they get it. An app may want access to Facebook solely to pull a friends list and bounce it off their userlist and friend up matches (a feature lots of people like), or it may spam up your feed with junk from itself.
You can argue the motivations and necessity of those, but there are legitimate features linked to the permissions. Up to you to decide whether or not you want to give up that info.
So, Waze need to have the app properly implement SSL Certificate Pinning (in order to prevent a MITM SSL proxy that works via an additional Certificate Authority). Of course then it's likely still vulnerable to some reverse engineering of the app to get around that.
Err. Waze is non commercial in nature. It is a navigation app, not a commercial app selling or buying stuff
Uhnm... ads? Locations on the map, plus pop-ups at traffic stops.