This article is more than 4 years old

A vulnerability could allow attackers to track in real-time the movements of all 50 million Waze users.

Waze is a “community-based traffic and navigation app” available for Android, iPhone, and Windows Phone. It enables drivers to share traffic and road information with one another, including alerts on police stops, accidents, constructions, hazards, and traffic jams.

Waze then analyzes that data for local users and plots out an optimal path for their daily commutes that will consume the least amount of time and gas.

Sounds nifty, right? It is… but only to an extent.

Researchers at the University of California-Santa Barbara have discovered a vulnerability that would effectively allow a hacker to track the movements of any of Waze’s 50 million users.

Specifically, they found they could set up an HTTPS proxy man-in-the-middle (MitM) to intercept all communication between a user’s phone and Waze’s servers, which talk with each Waze client via SSL.

With that setup in place, the researchers found they could reverse engineer the app’s communication protocols and use that knowledge to issue commands directly to Waze’s servers.

Here’s where it gets interesting.

The team discovered a way to populate the system with thousands of “ghost cars” – which are not the same as Uber’s “phantom riders” – to create fake traffic jams that would reroute users unnecessarily or to monitor their every move.

“It’s such a massive privacy problem,” Ben Zhao, professor of computer science at UC-Santa Barbara and leader of the research team, told Fusion.

To test their discovery, which is explained at length in a technical paper, Zhao and his graduate students tried to track a member of their team and Fusion journalist Kashmir Hill.

Both tests proved successful. The team tracked their consenting researcher guinea pig for 20-30 miles, and they knew when he stopped at gas stations and a hotel. As for Hill, they were able to track her movements when she took a taxi to downtown Las Vegas and when she was commuting on a bus in San Francisco.

It’s important to note the hack does have its limitations. The researchers could track Hill only while she was in a vehicle, for example, and they lost sight of her when she entered the subway. Additionally, for the hack to work, Waze must be actively running on a target’s phone and cannot just be running in the background.

Even so, Zhao still feels the hack poses a significant danger to users – not only of Waze but other apps, as well:

“This is bigger than Waze. With a [dating app], you could flood an area with your own profile or robot profiles and basically ruin it for your area. We looked at a bunch of different apps and nearly all of them had this near-catastrophic vulnerability.”

Waze is currently investigating the issue. In the meantime, all users of Waze might want to consider setting their app to invisible mode so that they don’t broadcast their information. They will need to set Waze to this setting every time they turn on their phone.

It remains to be seen whether this attack definitely threatens other apps. As a general rule of thumb, however, it’s a good idea to disable location-sharing on all mobile devices.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.