Waze closes exploit that allowed "ghost drivers" to track users and create fake traffic jams

Waze is a traffic and navigation app that relies on crowd-sourced information to alert you to traffic issues, police presence, weather problems and anything else that can wreak havoc on your journey. Owned by Google, Waze responded earlier this week to an exploit found by UC Santa Barbara researchers. With the exploit, the research team wrote a program allowing them to invade the Waze eco-system with thousands of ghost drivers that could report phony traffic jams and keep tabs of other Waze drivers in real-time.

A writer for Fusion allowed the research team to track her, which they did as she drove through Las Vegas, and while commuting in San Francisco. Because the app shows users other Waze drivers on the road with them, including their username and their speed, the ghost drivers created by the UC Santa Barbara team allowed the researchers to keep track of the author's location.

In addition, the researchers used the ghost drivers to create a made-up traffic jam in a remote area between 2am to 5am every morning for two weeks. The appearance of heavy traffic resulted in Waze recommending alternate directions for drivers to take so that they could avoid the "traffic." According to the leader of the research team, Ben Zhao (who is a professor of computer sciences at UC Santa Barbara) "No real humans were harmed or even interacted with." But the made up traffic could result in detours that can add minutes to the driver's arrival time at his/her destination.

Waze responded by saying that a stranger cannot find you and track your car. That is because a stranger is not likely to know your username. In addition there is an invisible mode that prevents you from showing up on the map. However, this will result in your friends seeing you as being offline, and prevents you from reporting traffic conditions to fellow Wazers. Still, if you want to go invisible, head to Menu > My Waze (tap your name and icon) >Turn on "Go Invisible."

Waze points out that the writer of the story gave the research team her user name which made it easier for the researchers to figure out her route by using the "ghost riders." Waze says it has made some changes in the last 24 hours that "prevent ghost riders from affecting system behavior and performing similar tracking activities. None of these activities have occurred in real-time and in real-world environments, without knowing participants."


source: Waze, Fusion