If you are using Waze to navigate roads you’ve never taken before – thanks to its real-time navigation feature – chances are hackers might be tracking you down.
Security researchers from the University of California-Santa Barbara have discovered a vulnerability in the Israeli-built app that would let cyber criminals monitor your location, the places you visit and even your home address.
The Google-owned navigation app tells its users where the fastest route is from one location to another, avoiding traffic and road jams as much as possible. But the newly found vulnerability in the app leads to the formation of ghost drivers intended to trace the route of real drivers in real time.
The researchers found that the encrypted communication between Waze’s servers and mobile devices can be intercepted using a computer that will then act as go-between. The connection uses the SSL protocol to make certain that only Waze’s computers communicate with the Waze app installed in a mobile phone.
With the researcher’s findings, it is now possible to make the mobile devices accept a third-party computer in between the connection and reverse-engineer the protocol implemented by Waze for secure communications. The researchers were also able to identify how the Waze servers communicate with the Waze app, including the language used so that the researchers successfully developed a program.
The researchers then used the resulting program to send commands to the Waze servers in order to manipulate the system and create a horde of ghost drivers that will feign a traffic jam and monitor the human drivers, which is made possible by the social nature of the app. As a sort of social app, Waze allows drivers to broadcast their location, though that is optional.
University of California-Santa Barbara researchers were only able to track a user while the app runs in the foreground of the smartphone, meaning the exploit does not work while the app runs in the background.
How to stay safe from hackers
Waze users are advised to download the latest updates to the app in order to prevent the tool from broadcasting your location while it is running in the background. You can also make use of a new cloaking system deployed by Waze to help protect users from potential threats. The system works to hide your actual location.
However, some users complained that the safeguard feature did not block real-time monitoring of their location, as demonstrated in the test conducted by the University of California-Santa Barbara.