Expert Comments on Google Map Apps Waze Flaw

A flaw has been discovered in the Google maps app Waze, which allowed hackers to track a reporter for days. Paul Farrington, senior solution architect, Veracode commented on this news below.

Paul Farrington, Senior Solution Architect, Veracode

“Typically, cyber-attackers target the theft of money, intellectual property or our personal identities, but this vulnerability leaves the door open a bit closer to home – potentially revealing our whereabouts at any given time.

“As we use our smartphones for an ever-growing number of activities, so too does the risk that attackers will gain access to sensitive personal or financial information we hold on these devices. Since most smartphones have the capability to track a user’s movements, vulnerabilities like the one reported in the Waze service call in to question personal safety of users.

With the Waze security hole, it seems as though the company hasn’t adequately threat-modelled how devices can interact securely. Effectively the system was open to a ‘Man-In-The-Middle’ attack. This is an old approach to gaining access to information as it flows back and forth. The attack intercepts communication and allows the attacker to predict how both the user and the Waze system will respond. Apps are helping to fuel the digital economy, but all too often they are just not built with security in mind. What perhaps is not readily understood by software vendors is that the risks taken and the security corners that are cut, will eventually lead to a cost. In this case its reputational damage.

“While by and large, computer cyber security has been drilled into the wider public’s consciousness, too frequently the threat of mobile devices is overlooked. And this threat is real. Last year Gartner suggested more than 75 per cent of mobile applications would fail basic security tests. It’s important that individuals and businesses gain greater awareness of the inherent risks found in most mobile applications. Not only to enable them to take better steps to secure their own devices, but also to drive greater accountability for security among the companies producing these applications.”