Chances are that if you are a user of the Google-owned driving navigation app, Waze, then hackers are probably tracking each and every one of your movements.
A research conducted by researchers at the University of California Santa Barbara discovered a Waze flaw that allowed to create many ghost drivers which could monitor the activity of those around them. The exploit can be used to track users in real time. A professor at the University, Ben Zhao, said the issue was a massive privacy problem.
The attack is similar in character with one that was conducted by Israeli university students, who sent traffic bots using emulators and thereby creating an appearance of a traffic jam. Emulators, however can only create the appearance of a few cars on the Waze system. The new research by the California team can actually create new virtual cars, thousands of them, which can be sent to an area to spy on it.
The group, (Zhao and his team) tried to hack into one of their members’ system with his permission. Zhao explained that the team member drove 20 to 30 miles from where they were and they managed to track his location the whole time he was on the move.
The security researchers are only able to track someone when the app is running in the foreground of the smartphone. Previously they could do it without Waze having to run on the phone, as long as it was in the background.
Waze is a startup from Israel that was bought by Google back in 2013 for a massive $1.1 billion. Zhao and his team notified the Google team about the vulnerability. Google provided an update which makes the app not run in the background, making it less simple for hackers to track your movements. The update also saves battery life, according to Waze, since the app won’t be running in the background.
A Waze spokesman said, “Waze constantly improves its mechanisms and tools to prevent abuse and misuse. To that end, Waze is regularly in contact with the security and privacy research community—we appreciate their help protecting our users. This group of researchers connected with us in 2014, and we have already addressed some of their claims, implementing safeguards in our system to protect the privacy of our users.”
Zhao also pointed out a worrying point that anyone could be doing what they did in the experiment because the surveillance is undetectable.
The Waze app is designed to showcase your geolocation, therefore, it makes tracking easy. Once you spot someone on the map you can then send ghost cars which can track and follow the person to wherever they are going. Zhao explained that equipped with a countable number of servers he could certainly track everyone in the US.
Zhao’s team also made some traffic jams appear on the Waze app, and they say there was no inconvenience caused as when they saw cars approaching the virtual traffic jam, they immediately removed them.