Google addressed some of the issues, but not all

Apr 27, 2016 13:00 GMT  ·  By

Six researchers from the University of California, Santa Barbara, and the Tsinghua University in Beijing, China, have discovered that they could insert fake traffic into the Waze crowdsourced driving app to create inexistent traffic jams, and also track the movements of Waze drivers.

The Waze app works by sending the user's geographical coordinates and other details to Google's servers. This information is then aggregated and presented to all nearby users as traffic status reports, allowing users to choose, or have the app calculate the shortest route to a destination by automatically avoiding congested areas.

Researchers used an HTTPS proxy to reverse engineer the Waze protocol

The researchers said that while the Waze app talked with Google's API servers via HTTPS connections, they found a method of inserting an HTTPS proxy between the app and the main Google servers.

They achieved this by setting up an HTTPS proxy server, and taking its root certificate and adding it to their phone, so the proxy can claim it’s the Google server and the Waze app be fooled into believing it.

Once they achieved this, they were able to capture traffic sent by the Waze app, decrypt it, read the content, encrypt it again, and relay it to the actual Google server.

HTTPS proxy attack model
HTTPS proxy attack model

This trick allowed the researchers to reverse engineer the Waze communications protocol and then create automatic scripts that could talk to the Google servers, posing as other Waze users.

Waze network susceptible to Sybil attacks that insert ghost drivers

The researchers used this script to launch so-called Sybil attacks, during which they inserted hundreds and thousands of malicious users inside the Waze network so they could manipulate its behavior.

Sybil attacks are well known in the TOR network, which sees many nefarious groups trying to insert fake Tor nodes in its worldwide network with the hope that they could control and then spy on as much as the network as possible.

While Tor has managed to fend these types of attacks, Waze has not, and the researcher said they were able to create fake traffic jams on a remote road near Baird, Texas.

These tests were carried out between 2 AM and 5 AM, just so it won't affect actual traffic, but they were all successful and went undetected by Waze's staff.

Inserting a fake traffic jam (red, right) inside the Waze app
Inserting a fake traffic jam (red, right) inside the Waze app

The researchers didn't stop their prodding around here, and also said that by leveraging the insight provided by the Waze protocol and the presence of their "ghost riders," they were able to track the movements of any Waze user if they wanted to.

With the right number of ghost drivers, attackers can track anyone

The tracking worked even in real-time, and researchers got very accurate routes for any user's movements, complete with GPS coordinates and timestamps.

The secret behind this attack is the number of ghost drivers. The researchers explain that if an attacker had enough ghost drivers inserted in the network, he could actually be able to track all Waze drivers inside a country or continent.

The researchers informed Google of their findings, and the company has pushed an update to Waze last year, which prevents the app from broadcasting data if running in the background. This update blocks attackers for keeping track of users that are not actively using the app.

Researchers also mentioned that by using the app in Invisible mode, an attacker would not be able to track his movements. Nevertheless, Google hasn't addressed all the issues, and the attack is still possible if the user is actively using the app in the phone's foreground.

The researchers will also be presenting their findings at the MobiSys conference in Singapore at the end of June, but you can read their research right now if you wish to.

Photo Gallery (3 Images)

Waze app vulnerable to Sybil attacks
HTTPS proxy attack modelInserting a fake traffic jam (red, right) inside the Waze app
Open gallery