Update, April 28: Waze has responded to the UCSB report and related news coverage in a blog post. The company does not deny the existence of a vulnerability in its navigation app, but claims the issue is overblown and that the vulnerability is hard to exploit in the wild, without knowing the target user’s username and location. The post goes on to address certain “severe misconceptions” that have been making the rounds in media and clarifies that the car icons visible on the Waze maps do not represent actual users.
Original post, April 27: The Waze community is a very handy way to keep ahead of the traffic, but the app just became a little less friendly, as researchers have found a way to track the location of thousands of users. A team from the University of California Santa Barbara discovered an exploit after reverse engineering Waze’s server code. This took a considderable amount of effort, but eventually allowed the group to issue commands directly to the app’s servers.
The bug allowed the researchers to intercept driver locations and to monitor other drivers around them. To do this, the team was able to create thousands of “ghost drivers” that could monitor all of the drivers around them. The exploit can even be used to create fake traffic jams and feed false traffic information into the system, which would obviously be very frustrating and disruptive to users. It’s worth noting that this type of mass bot exploit isn’t limited to Waze either.
Fortunatley, there’s plenty than can be done to avoid the bug from affecting you. Using the built in invisibility mode breaks the exploit, and it also only works when the app is running in foreground mode, as Waze disabled background location sharing back in January. Users can also put a limit on data requests so that one computer can’t create multiple ghost instances to try to track down your location.
The researchers have been in contact with Waze about the issue for a while now and the company has implmented some features to help prevent location tracking. There’s already a “cloaking” system designed to hide your location and Waze says that it is working to fix up the remaining flaws in the system.
There’s no evidence to suggest that this exploit is being actively used for malicious purposes yet, but if it can be done once it can be done again. Fortunatley the risks of being tracked are pretty low, although it might be best to use those privacy settings where possible.