You can’t use Waze, the crowdsourced real-time traffic app owned by Google, without having your mobile device’s geo-location setting turned on – giving your location to the app is precisely the point.
But that doesn’t mean you necessarily want other Waze users to know where you’re coming from, where you’re going, or your exact route from point A to point B.
A team of researchers from the University of California at Santa Barbara has published a paper claiming they can track a Waze driver’s exact route using thousands of simulated “ghost” vehicles in the app.
One of the researchers, doctorate student Gang Wang, said an attacker could create a “large army” of simulated (“Sybil”) devices to “overwhelm the inputs from real drivers” to stalk drivers or create fake traffic jams:
The basic idea is that attackers can create a large army of simulated devices to overwhelm the inputs from real users. This is done by reverse-engineering the communication protocols between the app and server. By mimicking API calls using simple scripts, attacker can create massive “virtual” devices to run practical attacks, ranging from creating fake events (e.g., traffic jam) to disrupt user routing, to virtually stalking a target user wherever she goes.
This week, an article in Fusion described an (unscientific) test of the researchers’ stalking attack, in which writer Kashmir Hill was tracked within the app on three trips.
According to Hill:
I told them I’d be in Las Vegas and San Francisco, and where I was staying – the kind of information a snoopy stalker might know about someone he or she wanted to track. Then, their ghost army tried to keep tabs on where I went.
Because Waze typically broadcasts your location to other nearby Waze drivers, along with your username and how fast you’re going, the simulated ghost vehicles in this attack can pinpoint a real user’s location along their route, according to Hill.
However, the tracking only works with the Waze app running in the foreground (with the app open), rather than in the background (you can also use “invisibility mode” to avoid sending your location to other Waze users).
Previously, the researchers found they could track drivers with the app closed and running in the background, but Waze stopped background geo-tracking when it issued a fix in January 2016, after the researchers told Waze about their findings.
Waze denied that the researchers’ attack could work with most users, saying in a statement on its website that Hill could only be tracked so accurately because she gave the researchers her location and username, which “which greatly simplified the process of deducing sections of her route after the fact.”
Waze also reassured its 50 million users that it’s impossible for anyone to be tracked through searching for usernames of “Wazers,” or finding a user on the map and following them.
And Waze said it has implemented safeguards this week to fix the vulnerability and prevent ghost riders from tracking users.
No similar attacks have occurred in real-world environments, without knowing participants, Waze said.
Even if the issue has been fixed in Waze, attackers could use similar bots in “a wide range of apps,” according to Wang:
This turns out to be a fundamental problem for a wide range of mobile apps that rely on massive user GPS as inputs, leading to practical security and privacy attacks. For example, in anonymous mobile communities (Whisper), such virtual devices can be used to perform massive location measurements to statistically recover user locations and endanger user anonymity.
What to do
Make sure to update your Waze app to get the latest privacy fix.
To prevent Waze from showing your location to other drivers, turn on invisibility mode:
1. Tap the Menu icon and tap your username to pull up My Waze
2. Toggle Go invisible to “on”
With invisibility mode, you’ll appear offline to your in-app contacts.
However, invisibility mode is automatically turned off anytime you re-launch the Waze app, so you’ll need to turn it on each time you open the app.
(Waze says this is because “the majority of Waze users have joined Waze for the value of the community.”)
If you don’t want to broadcast your whereabouts in general, consider turning off geolocation on your mobile devices when you’re not using location-based services.
For more tips and advice, check out our guide: Privacy and Security on Your Phone.
It covers privacy settings for iOS, Android and Windows Phone.
And read the following articles for more mobile security and privacy tips:
- Get 10 tips for securing your smartphone
- Check out our advice to keep crooks out of your mobile device
- Learn about the history of mobile malware
- Find out how to clean up and remove bad Android apps using Safe Mode.
- Install a mobile security product (Sophos has a free security product for Android).