Two Israeli university students launched a successful cyberattack on the popular navigation application Waze, causing it to report a nonexistent traffic jam.

Shir Yadid and Meital Ben-Sinai, both fourth-year software engineering students at the Technion – Israel Institute of Technology, carried out the attack as part of a school project.

A software program the two wrote created a fake traffic jam that lasted for hours, causing many fake drivers to take detours. To avoid causing real traffic jams and affecting real drivers, the two manufactured a backup on the quiet main road through the Technion campus in Haifa. But according to their faculty advisor, Prof. Eran Yahav, the program could just as easily have created a fake traffic jam on any other road in Israel and thereby caused Waze to report erroneous information to its customers.

After the program had been tested successfully, Yahav and the students’ other faculty advisor contacted Waze to tell the company how the cyberattack had been executed.

“We sent them the academic paper behind the software,” Yahav said. “They thanked us and said they would read the paper carefully.”

The idea for the project came from doctoral student Nimrod Partush, who conceived it after being stuck in a real traffic jam together with Yahav, who is his advisor as well.

“It was last summer,” Partush recalled. “I told Eran that had we made Waze inform drivers about a traffic jam on the Coastal Highway before we set out, the application would have diverted drivers to Route 4, and we could have driven to Tel Aviv along the Coastal Highway with no traffic jams.”

Yahav suggested Partush share the idea of fooling Waze with Yadid and Ben-Sinai and let them tackle the challenge for their school project.

Yadid and Ben-Sinai said they had no idea what they were getting into. Initially, they did not think Partush’s proposal sounded particularly innovative. But executing it turned out to be very complicated, requiring a great deal of time and effort.

First, they wrote a program that automatically created fake Waze users and took them through the process of registering for the app. Faking the registration process required their program to mimic a smartphone. They needed at least several dozen fake users to carry out the attack, and ended up creating thousands.

The actual attack required building an application that mimicked a GPS, to make Waze think the “user” was actually at the spot where he was reporting the fake traffic jam. They said they were surprised that Waze actually believed their fake app.

Finally, they had to program the “users” to “drive” down the road in a way that would look to Waze as if they were really stuck in a traffic jam. That, the students said, was the hardest part of the project, because they had to “get inside Waze’s head.”