Hackers can potentially stalk Waze’s 50 million users, who turn on Google’s popular navigation app on a daily basis in order to find the fastest route to get from one location to another, according to a University of California-Santa Barbara study.
SEE ALSO: Waze Acquired By Google For Over $1B
If hackers can indeed track drivers, this security breach can be quite scary. “It’s such a massive privacy problem,” Prof. Ben Zhao, who led the research, told Fusion.
The UCSB research team discovered a Waze vulnerability that allowed them to create thousands of “ghost drivers” that can monitor the drivers around them. In a three-day experiment, these ghost drivers tracked the movement of a news reporter in real time.
According to Zhao’s study, “our work shows that today’s mapping services are highly vulnerable to software agents controlled by malicious users, and both the stability of these services and the privacy of millions of users are at stake.”
Creating fake traffic jams
The current attack on Waze – an Israeli startup bought by Google in 2013 – is somewhat similar to a 2014 hack conducted by students of the Technion-Israel Institute of Technology, which nearly caused mayhem on the roads of Israel. In that case, emulators sent traffic bots into Waze to create the appearance of a traffic jam.
Sign up for our free weekly newsletterSubscribe
But according to Waze – which claims the recent media reports contain “severe misconceptions” – hackers can’t really create fake traffic jams or follow drivers’ moves. “User accounts were not compromised, there was no server breach,” according to a statement released yesterday in response to reporters’ questions, including those presented by NoCamels.
As for the recent breach, “the reporter in the article gave her location and username to the research team, which greatly simplified the process of deducing sections of her route after the fact by using a system of ghost riders,” Waze says. “We appreciate the researchers bringing this to our attention and have implemented safeguards in the past 24 hours to address the vulnerability and prevent ghost riders from affecting system behavior and performing similar tracking activities. None of these activities have occurred in real-time and in real-world environments, without knowing participants.”
“Built upon trust”
The company, which was founded by Uri Levine, Ehud Shabtai and Amir Shinar in 2007 and acquired by Google for $1.3 billion three years ago, assures drivers that “it regularly examines the security of our system and we expect to test and implement further security measures as any company does.”
The company emphasizes that “the Waze ecosystem is built upon trust and deep respect for all of you – real-time traffic simply doesn’t work without the participation of our community – and we are constantly reviewing and adding safeguards to protect our users.”