By intercepting the popular traffic app’s communications, hackers could produce fake accounts to track real users
Researchers at UCSB have discovered a way to hack the Waze application to create thousands of “ghost drivers” that have the ability to closely monitor the locations of users.
Waze is a traffic and navigation app that allows users to update maps with information about traffic collisions and slow traffic. When opened on a smart phone, the app shows the location of anonymous users nearby.
Researchers from the computer science department at UCSB found that they could intercept the way Waze’s computers communicate with individual smartphones. In doing this, hackers could write computer script that could track thousands more Waze users on multiple grids in a map.
“We can follow people in the whole city, or even people in the whole U.S. country,” said Gang Wang, computer science graduate student and one of the study’s main authors.
Users generally appear anonymously on the app as icons and avatars. Wang said it would be possible for users today to physically follow an individual icon by car, but such a task would prove difficult.
With this new intercepting technique, however, Wang said hackers could also write a code to follow individual users from a laptop or desktop.
Ben Zhao, the computer science professor who led the study, said the hacking method that he and his team discovered could be used to closely monitor the locations of users on a national scale.
Zhao said any “three-letter agency from the government” could buy a massive amount of equipment and expand the computer script to track the locations of any app user across the United States. There were nearly 50 million Waze users as of June 2013, according to Associated Press.
“You could probably track a significant portion of the population in all the cities that you really care about if you really wanted to,” Zhao said.
The applications for this method, Zhao said, could go far beyond Waze. According to Zhao, hackers could hack systems for apps like Yik Yak, Whisper, Foursquare, Yelp and Uber using this method.
Yik Yak is a social app for users to make anonymous posts — also known as “yaks” — for other users to either “up-vote” or “down-vote.” The app deletes every yak that receives five or more down-votes.
Zhao said hackers could intercept the app’s interaction with individual users similarly to the method used with Waze. He said it would be possible to simulate thousands of virtual users on the Yik Yak app that could up-vote or down-vote whatever yaks the hacker so chooses.
“Potentially what I could do is I could have my little army of users, and they all down-vote whatever message I don’t like,” Zhao said. “I control the majority and then I control what content goes or doesn’t go on the network.”
The study’s findings shed light on the vulnerability of crowdsourcing apps like Yik Yak and Waze; they imply that users must be “careful,” Zhao said.
“You have to be very careful about what it is that you’re reporting from your phone,” Zhao said. “Once you send the information off the phone, it’s nearly public knowledge.”
A version of this story appeared on p. 4 of the Thursday, April 28, 2016 print edition of the Daily Nexus.