A security vulnerability with Waze allows anyone to monitor a user’s travels, according to newly revealed research by University of California, Santa Barbara researchers. Using this vulnerability, researchers were able to create so-called “ghost drivers” and monitor real drivers using them — a big invasion of privacy, and one that could potentially be used by law enforcement, hackers, and anyone else snooping where they’re not welcome.
The researchers were lead by UCSB computer science professor Ben Zhao, who called the vulnerability “a massive privacy problem.” He and his team were able to create a middle-man system in which communication between Waze and a user’s smartphone passed through their own computer in the middle. Using that, the team figured out the Waze protocol and, eventually, created their own program that would send commands to Waze’s servers.
As those who use Waze know, a big part of the system is its social features — you can see other Waze users around you as a little cartoon symbols on the map, for example. That feature also means Zhao and the other researchers could monitor users’ locations and travels using “ghost” cars…fake cars they created and planted by the thousands, scattering them around real drivers.
Those fake cars can also be used to wreck havoc with the system, making it appear as if there is a gridlock or other traffic issues using cars that aren’t real. According to the researchers, they could create thousands of cars if they wanted to, piling them all into a region that would then enable them to monitor the travels of all the Waze users around them. The vulnerability opens the doors to mass traffic surveillance; drivers wouldn’t know they were being tracked. Google’s security team was notified about the vulnerability.