Waze vulnerability could let a stalker know exactly where you are

• Quentyn Kennemer
• 8 years ago

The greatness of Waze as a navigation tool comes from its usage of crowd-sourced information to enhance your driving experience, but it’s that same strategy that opens up some serious privacy issues. While Waze has worked to improve the privacy and security of their app, one dangerous flaw was recently uncovered.

Researchers at the University of California Santa Barbara reverse-engineered Waze’s code to see if they could find any holes. What they found was more like a crater. The researchers were able to create thousands of “ghost cars” to monitor other cars around them.

In Waze, users can choose to broadcast their information around them so other drivers can have more details about who’s on the road, including information about how fast they’re going and their usernames. What the researchers did was create virtual vehicles and sent instructions to Waze’s servers (by intercepting a “secure” connection between the user’s device and Waze’s servers) in order to deploy them.

Once deployed, the virtual vehicles would gather information about the Waze users around them, which effectively gives you a GPS tail on anyone you’d want. The method would require you to know the general location of the person you want to follow, though a stalker being able to find that information isn’t outside the realm of possibility. The person you want to follow also has to be inside a vehicle, something that’s likely determined by how fast they’re moving.

Know the person personally and know where they work? Set the ghost cars up at their place of employment and wait for them to move. What’s more is that you can even create a fake traffic jam. Put one in an unsuspecting user’s route and Waze will reroute them to steer clear of it. Little do they know that there’s no such jam up ahead. Potentially influencing a route is about as dangerous as knowing the route itself, as someone could be steering the driver into sudden danger.

To test the theory, the researchers reached out to Fusion writer Kashmir Hill. All she told them about her weekend was that she would be going to Las Vegas and San Francisco, and she also told them where she would be staying. Knowing that information, the researchers were able to monitor her movement pretty much anywhere she went. The only time the tail was lost was when she entered a subway tunnel where GPS and data are limited.

The researchers suggest that wide-scale monitoring is possible with very little overhead, too. Having anywhere from 50 to 100 servers of moderate size would give you enough capacity to monitor the entirety of Waze drivers in the US at the same time, for example.

You can read more about the situation in-depth right here, but if you’re feeling a bit unsettled about this then there are a couple of things you can do to ensure you aren’t being monitored:

• Enable Invisible Mode. This essentially hides your presence on Waze to other drivers in the vicinity. Unfortunately, invisible mode only applies for the drive you’re currently on, so you’d have to go invisible each and every time you want to use the app.
• Don’t use the app. It sucks that this is the only other option, but it’s the only way to know you’re 100% shielded from the grid.

Thankfully the researchers have reached out to Waze and Google to show their findings, and it’s something we expect to be on the top of the developers’ priority list. A research paper on the vulnerability will be presented at the end of June, likely to give Google and Waze enough time to address the issue before knowledge about the vulnerability falls into the wrong hands.