A team of researchers at the University of California-Santa Barbara has revealed that hackers can use a vulnerability found in the Waze app to create an infinite number of "ghost drivers" for the purpose of monitoring the drivers around an area.
The exploit can allow hackers to track one's driving in real time, even when the driver has not shared his trip details while driving. By simply doing a reverse-engineering of the Waze server code, thousands of ghost drivers are then created with the purpose of monitoring the drivers around them.
"Anyone could be doing this [tracking of Waze users] right now," says Ben Zhao, head of the research team and professor of computer science at UC-Santa Barbara. "It's really hard to detect."
The revealed exploit, as explained by the researchers, works by intercepting the communication among Waze's servers with phones, eventually allowing a hacker's own computer to act as a go-between in the connection.
It should be noted that Waze's servers would communicate with devices through an SSL encrypted connection. This system is designed as a security precaution in order to assure that Waze's computers are indeed in communication with a Waze app on a user's handset.
After successfully becoming a go-between, hackers can easily reverse-engineer the Waze protocol. At this point, several opportunities can then be achieved. These include learning the language used by the Waze app when talking to its back-end app servers, writing a program that releases commands targeted directly to the app's servers, and finally populating the Waze system with a number of "ghost cars."
These ghost cars can then be used to create a fake traffic jam or as a means to monitor the drivers around the area.
Waze was established in Israel back in 2008 and was later on sold to Google in 2013 at the acquisition price of $1.1 billion. The Waze app is popular among drivers because of its unique capability to provide navigation instructions such as traffic situations and road hazards. The app is estimated to have 50 million users across the globe.
Theoretically, the exploit can also allow a hacker to enter the Waze system and download the user's driving history for the purpose of revealing the details publicly, something akin to what the hacker of Ashley Madison has threatened in the past.
In the light of this vulnerability issue, a Waze spokesperson confirmed that the matter is now being examined and the company is taking steps to ensure that the privacy of its users remains protected.