Waze Users Have Reason to Be Wary

Security Flaws in Google Maps Alternative Lets Hackers Track Users

Privacy in the digital age is becoming harder and harder to come by. An alarming new report about Waze, a popular navigation app for smartphones, makes this even clearer.

According to researchers at UCSB, hackers have the potential not only to push fake data to the app itself, showing phony car accidents and traffic jams, but they can even track users’ whereabouts in real-time. The report highlights the dangers of “crowd-sourced” projects such as Waze, which relies on user-supplied information.

Gang Wang — a computer science PhD candidate at UCSB — worked on the report. In a phone interview with The Santa Barbara Independent, Wang said it hasn’t stopped him from using the app. But after using it for a while, he “realized this kind of social feature…can reveal a lot of private information.”

In theory, users who drive by an accident can alert other Waze users of the threat. With only a moderate level of computer knowledge, hackers can exploit this flaw by sending thousands of fake accidents or threats to the servers at once. “I think a computer science student could do it,” said Wang.

With the right tweaking, hackers are able to track the GPS location of users all across the county. The report calls this fake data “ghost riders,” which allow someone to “track individual Waze users throughout their day, precisely mapping out their movement to work, stores, hotels, gas station, and home.”

Waze responded with a statement posted to its website this week: “A stranger cannot search for/find your Wazer on the map and follow you.” Tracking through the app is done through something called a Sybil Attack, a software program designed specifically to exploit crowdsourcing apps. Creating multiple fake identities and setting up in between the user and Waze’s servers, the program steals user data and sends it directly to the hacker.

Originally an Israeli company, Waze was purchased by Google for just over $1 billion in 2013. Google tested the exploit over a few weeks in remote locations in the early morning hours to avoid conflicts with regular users. The testing started locally, but this process can be expanded to just about anywhere in the country. “Sitting in your bathroom, you can track someone in Las Vegas,” said Wang.

An update may help with some of the security issues, so users should check that their app is up-to-date.

Due to the nature of the business, Wang said Waze couldn’t publicize what it is doing to fix the problem for fear of giving hackers the upper hand. Company officials more or less confirmed that in their statement, posting to their website, “Public discussion of the details of these safeguards is intentionally limited.”


Please note this login is to submit events or press releases. Use this page here to login for your Independent subscription

Not a member? Sign up here.