Slashdot Mirror
Millions Of Waze Users Can Have Their Movements Tracked By Hackers (fusion.net)
An anonymous reader quotes a report from Fusion: Researchers at the University of California-Santa Barbara recently discovered a Waze vulnerability that allowed them to create thousands of "ghost drivers" that can monitor the drivers around them -- an exploit that could be used to track Waze users in real-time. Here's how the exploit works. Waze's servers communicate with phones using an SSL encrypted connection, a security precaution meant to ensure that Waze's computers are really talking to a Waze app on someone's smartphone. Zhao and his graduate students discovered they could intercept that communication by getting the phone to accept their own computer as a go-between in the connection. Once in between the phone and the Waze servers, they could reverse-engineer the Waze protocol, learning the language that the Waze app uses to talk to Waze's back-end app servers. With that knowledge in hand, the team was able to write a program that issued commands directly to Waze servers, allowing the researchers to populate the Waze system with thousands of "ghost cars" -- cars that could cause a fake traffic jam or, because Waze is a social app where drivers broadcast their locations, monitor all the drivers around them. You can read the full paper detailing the researchers' findings here. Is there a solution to not being tracked? Yes. If you're a Waze user, you can set the app to invisible mode. However, Waze turns off invisible mode every time you restart the app so beware.
"You can switch to invisible mode at any time, which means for that specific drive: (1) you will appear as offline to your friends; (2) your Waze icon will show on the map; (3) you will not be able to send reports, add/edit places, or send messages to friends and other Wazers." #2 doesn't make any sense to me. Do I need Ron Weasley to snag me the invisibility cloak?
This wouldn't be a problem if the app wasn't designed to track your whereabouts and broadcast them. I'm not sure I have much sympathy for anyone using the app who is surprised by this, since tracking you and sending your info to others is the app's stated purpose.
There are lots of stories about how the government is supposedly taking away our freedoms and a police state is coming. That police state hasn't happened.
Last year in America, the police stole^Wconfiscated more money and belongings from citizens through civil forfeiture than burglars stole. America has secret courts issuing secret warrants and serving secret orders that no one is allowed to talk about. Police are driving around using secret equipment to intercept cellphone calls and text messages, demonstrably without warrants. Cops in Chicago arrest and "disappear" citizens into a black hole of a dungeon facility called Homan Square, without even their lawyers being told where they are.
If you don't see the police state, you simply aren't fucking looking.
They run lots of stories about how Microsoft is tracking people and doing bad things with data collected through telemetry. That hasn't happened.
How do you know? None of us have any idea what Microsoft is doing with that data.
"BSD: Free as in speech. Linux: Free as in beer. Windows 10: Free as in herpes." --Man On Pink Corner in #52607549.
Millions of Waze users can have their movements tracked by other Waze users #noissuethere
(The protocol reverse engineer and the ability to spoof extra cars are news worthy, I'd guess - but the headline is completely pointless)
-><- no
Oh no...someone could track WazeUser83840 using an application that is meant to track their location. I found another hack: you can use Find my iPhone to find someones iPhone. The horror!
Really? The point of Waze is not navigation. It is real time alerts on the presence of police, traffic, disabled vehicles, etc.
I would argue that the point of Waze IS navigation, optimized for real-time conditions.