Over 50 million people count on the Google-owned Waze app to direct them to their destination. If you’re one of them, you should know a recent report claims that hackers can also trace your tracks and see exactly where drivers are in real time.
A report from Fusion highlighted a vulnerability found by researchers at the University of California-Santa Barbara that allowed hackers to monitor nearby drivers. The exploit allowed a third party to sit between Waze servers and the mobile device it is communicating with to intercept the information that is being transferred.
Through this method, the researchers found they were able to direct commands to the Waze servers that would create an artificial traffic jam by populating the map with non-existent cars or monitor the location of specific drivers.
The revelation is of particular concern for drivers counting on Waze, the Google-owned crowdsourced map service, to get them from point A to point B. It places users at risk to fall victim to invasive outsiders who can watch their every move without ever being detected.
At one point, the exploit was considerably worse; it enabled hackers to track any Waze user who had the app running in background on their phone. Since an update in January, which Waze users should be sure to download, the vulnerability has been diminished to only work when the app is on in the foreground—but for many that means any time they are on the move, they can be tracked.
Aside from ensuring their app is up-to-date—the best and most effective way to avoid exploits that have been stomped out—users have little in terms of permanent reprieve from the problem at the moment.
The only option to avoid the exploit is to activate invisible mode while using the app. Doing so will make the user unseeable to friends, and will prevent the ability to send reports, add or edit places, and send messages to friends and other Waze users—but it also prevents hackers from tracking activity and movement.
To go invisible on Waze, go to the app menu and tap your name for My Waze. A “Go Invisible” option should appear in the menu, which you can toggle on. Note that this only works for a single session at a time; you’ll have to reset invisibility every time that you restart the app.
Google did not respond to request for comment on the exploit or potential safety precautions for users.
In response to the recent privacy concerns, Waze Spokesperson Julie Mossler provided the Daily Dot with the following statement:
The Waze ecosystem is built upon trust and deep respect for our users. Real-time traffic simply doesn’t work without the participation of our community, and we are constantly reviewing and adding safeguards to protect them. It’s imperative to note that our system has been, and continues to be, safe for everyday users; neither the reporter or other users’ accounts were compromised and it is not possible for a stranger to search for, find or track your Wazer on the map in real time. With the consent of the reporter to use her Waze username and location details, the researchers were able to deduce sections of her route, after the fact. None of these activities have occurred in real-time and in real-world environments, without knowing participants.
Within the last 24 hours new security implementations have been added in several areas, including preventing the hypothetical threat of ghost riders from affecting system behavior and performing similar tracking. We thank the researchers for their findings.
H/T Fusion