Copyright – The Telegraph – April 27 2016 – By Cara McGoogan
A vulnerability in Google’s navigation app Waze could let hackers follow your every move. Millions of drivers that use the app to monitor traffic jams in real time and find the best route to their destination are at risk of being tracked if Google doesn’t fix the hole.
To demonstrate the flaw, researchers at the University of California, Santa Barbara tracked an American reporter across two states for three full days.
The vulnerability was discovered last summer, but remains open to exploitation after the Fusion reporter asked them to try and track her through Waze this week.
How it works
The vulnerability in the Waze app allowed researchers to populate the map with “ghost cars”.
These fake user profiles could be used to create a fake traffic jam or, because the Waze map shows the location of all users with their usernames, monitor all the drivers in the area.
The latest method can only track a user when they are in a car running Waze in the foreground.
Waze has proven itself to be unreliable in the past. In a tragic incident last year, a woman was shot dead in Rio de Janeiro after Waze wrongly directed her and her husband through a dangerous favela.
Back in 2014 two Israeli students successfully hacked the app, flooding it with fake cars so that it reported non-existent traffic jams. The hack would have let a malicious actor track someone even if Waze was only running in the background.
“Waze constantly improves its mechanisms and tools to prevent abuse and misuse,” said a spokesman for Waze, according to Fusion. “This group of researchers connected with us in 2014, and we have already addressed some of their claims, implementing safeguards in our system to protect the privacy of our users.”
Waze described one of the safeguards as a “system of cloaking” that means users’ locations aren’t displayed on the app in real time or consistently.
The hack could work on any app, according to the researchers. “With a [dating app] you could flood an area with your own profile or robot profiles and basically ruin it for your area,” one of the researchers Ben Zhao told Fusion. “We looked at a bunch of different apps and nearly all of them had this near-catastrophic vulnerability.”
How to protect yourself
You can prevent other Waze users from being able to track your location by switching to “invisible mode“. This lets you use the app but appear offline to your friends.
It means that you can’t send reports, add and edit your locations, or send messages. But it could stop you from being followed.
To turn invisible mode on tap the menu icon and then enter “My Waze” by tapping your name. In there you will be able to turn invisible “On”.
The mode deactivates whenever to quit the app so you will need to remember to switch it on every time you launch a new session.