University of California – Santa Barbara researchers discovered a vulnerability in Waze, the popular directions app, that allows hackers to track drivers. The research raises interesting themes around the security of social media applications, are you planning to cover the news? Here to comment on this news is Security Expert Deral Heiland.
Comment from Deral Heiland, Research Lead at Rapid7:
An oft-overlooked reality: Waze is a social media style application. This research points out a common concern related to all social media: if we are willing to share personal data — and in this case GPS location — the possibility of that data being abused exists.
Waze shows you other users in close proximity to you and their GPS location. The University of California- Santa Barbara researchers found that once a Waze user was identified, they were able to create and used ghostriders to echo the GPS location of the person they wanted to stalk, enabling the ghostrider to virtually follow the victim around, reporting back their GPS locations. This making this a very novel and potential concerning attack method, which many users of social media tools do not take into consideration when using an application like Waze.
Another important issue revealed in this research relates to the accuracy of the data. The researchers were successful in creating hundreds of fake Waze users, which they use to make it appear that there was a traffic jam. If such data is widely used and trusted, an attacker could leverage it to manipulate traffic patterns. Currently I find this a low risk, but in thinking about the expanding world of automation, and specifically autonomous vehicles, there could be a significant impact over time.