You can’t use Waze, the crowdsourced real-time traffic app owned by Google, without having your mobile device’s geo-location setting turned on – giving your location to the app is precisely the point.
But that doesn’t mean you necessarily want other Waze users to know where you’re coming from, where you’re going, or your exact route from point A to point B.
A team of researchers from the University of California at Santa Barbara has published a paper claiming they can track a Waze driver’s exact route using thousands of simulated “ghost” vehicles in the app.
One of the researchers, doctorate student Gang Wang, said an attacker could create a “large army” of simulated (“Sybil”) devices to “overwhelm the inputs from real drivers” to stalk drivers or create fake traffic jams:
The basic idea is that attackers can create a large army of simulated devices to overwhelm the inputs from real users. This is done by reverse-engineering the communication protocols between the app and server. By mimicking API calls using simple scripts, attacker can create massive “virtual” devices to run practical attacks, ranging from creating fake events (e.g., traffic jam) to disrupt user routing, to virtually stalking a target user wherever she goes.
This week, an article in Fusion described an (unscientific) test of the researchers’ stalking attack, in which writer Kashmir Hill was tracked within the app on three trips.
According to Hill:
I told them I’d be in Las Vegas and San Francisco, and where I was staying – the kind of information a snoopy stalker might know about someone he or she wanted to track. Then, their ghost army tried to keep tabs on where I went.
Because Waze typically broadcasts your location to other nearby Waze drivers, along with your username and how fast you’re going, the simulated ghost vehicles in this attack can pinpoint a real user’s location along their route, according to Hill.
However, the tracking only works with the Waze app running in the foreground (with the app open), rather than in the background (you can also use “invisibility mode” to avoid sending your location to other Waze users).
Previously, the researchers found they could track drivers with the app closed and running in the background, but Waze stopped background geo-tracking when it issued a fix in January 2016, after the researchers told Waze about their findings.
Waze denied that the researchers’ attack could work with most users, saying in a statement on its website that Hill could only be tracked so accurately because she gave the researchers her location and username, which “which greatly simplified the process of deducing sections of her route after the fact.”
Waze also reassured its 50 million users that it’s impossible for anyone to be tracked through searching for usernames of “Wazers,” or finding a user on the map and following them.
And Waze said it has implemented safeguards this week to fix the vulnerability and prevent ghost riders from tracking users.
No similar attacks have occurred in real-world environments, without knowing participants, Waze said.
Even if the issue has been fixed in Waze, attackers could use similar bots in “a wide range of apps,” according to Wang:
This turns out to be a fundamental problem for a wide range of mobile apps that rely on massive user GPS as inputs, leading to practical security and privacy attacks. For example, in anonymous mobile communities (Whisper), such virtual devices can be used to perform massive location measurements to statistically recover user locations and endanger user anonymity.
What to do
Make sure to update your Waze app to get the latest privacy fix.
To prevent Waze from showing your location to other drivers, turn on invisibility mode:
1. Tap the Menu icon and tap your username to pull up My Waze
2. Toggle Go invisible to “on”
With invisibility mode, you’ll appear offline to your in-app contacts.
However, invisibility mode is automatically turned off anytime you re-launch the Waze app, so you’ll need to turn it on each time you open the app.
(Waze says this is because “the majority of Waze users have joined Waze for the value of the community.”)
If you don’t want to broadcast your whereabouts in general, consider turning off geolocation on your mobile devices when you’re not using location-based services.
For more tips and advice, check out our guide: Privacy and Security on Your Phone.
It covers privacy settings for iOS, Android and Windows Phone.
And read the following articles for more mobile security and privacy tips:
- Get 10 tips for securing your smartphone
- Check out our advice to keep crooks out of your mobile device
- Learn about the history of mobile malware
- Find out how to clean up and remove bad Android apps using Safe Mode.
- Install a mobile security product (Sophos has a free security product for Android).
Image of GPS navigation courtesy of Shutterstock.com.
Alfredo Cole-Tuchler
Unless you do something about your choice of color combinations, your articles will remain unreadable. Thank you.
Laurence Marks
Absolutely right, Alfredo. The pale gray color used for quotations is very difficult to read on my laptop. I’ve mentioned it before to no avail.
Paul Ducklin
I’ve tried reading our pages on dozens of different devices and screens, old and new, and I haven’t had any problems with legibility. Indeed, when we switched to the new design, late last year, we received comments and emails from surprisingly many people who said that they loved it. We could change the layout again, but the vast majority of readers seem to like it how it is…
…so, considering that you seem to be one of a tiny minority with a screen that doesn’t render it well, that would merely risk annoying everyone else :-)
Could we ask you to try “Reader View” in whatever browser you are using? That’s spcifically designed for people who prefer high-contrast, black-on-white content. It might be just the ticket for your laptop’s screen.
Anyway, I’ll pass on this pair of comments. I suppose we could darken the “blockquote” text a little, but the idea of making it noticeably lighter than the surrouding text was to set if off clearly without using any sort of reverse-out.
ejhonda
Waze is a pretty cool app when the info is accurate. Drivers really shouldn’t be interacting with it while driving as it can be real distracting if you attempt to report issues while driving. As a passenger, however, it can make a long trip much more interesting by the passenger monitoring the app and helping your driver be aware of upcoming hazards and making reports of hazards you spot via the app.
Laurence Marks
Yes, on long trips the GF drives and I’m the Waze operator.
Mike W.
You should note that in invisible mode you cannot provide road reports.
Jake Fantom
Frankly, this really deal with the more worrisome aspect of the hack — ghost drivers creating fake traffic jams, which renders this app absolutely useless. They claim to have fixed the problem, but I think the fake reports are an ongoing nuisance as I have experienced them with increasing frequency. Even worse, old reliable Maps now incorporates bogus information from Waze.