WIRED Security (20 October 2016) is a new one-day event, which...
Two Israeli students have successfully hacked popular social GPS map and traffic app Waze, causing it to report a nonexistent traffic jam.
The attack, somewhat reminiscent of the wonderfully ridiculous Die Hard 4.0 plot, was carried out by Shir Yadid and Meital Ben-Sinai, two software engineering students in their fourth year at the Israel Institute of Technology.
As part of their university project, the two students created their own program, which they used to hack into Waze in order to cause the fake traffic jam, lasting hours. As this was an educational endeavour, the pair was conscious of causing as little real-world trouble as possible. With this in mind, Yadid and Ben-Sinai generated a fake jam on a quiet back road within their campus, but their faculty advisor, Professor Eran Yahav, said the two students could have created the fake traffic jam on any road in Israel, potentially causing mayhem.
In true white hat fashion, the faculty immediately contacted Waze and informed the company of the students’ actions, highlighting the vulnerabilities in their system. They were even kind enough to include the full academic paper behind the project.
Doctoral student Nimrod Partush came up with the idea a year ago after being stuck in a traffic jam with Professor Eran Yahav. “I told Eran that had we made Waze inform drivers about a traffic jam on the Coastal Highway before we set out, the application would have diverted drivers to Route 4, and we could have driven to Tel Aviv along the Coastal Highway with no traffic jams,” said Partush, in an interview with Haaretz.
It was suggested by the professor that Partush voice his thoughts to Yadid and Ben-Sinai, who then took up the challenge of hacking Waze. Initially the two students didn’t realise how difficult the task would be — but as they became more involved with the project, its complexity became evident.
Not only did they need to figure out how to create the numerous active fake Waze accounts necessary for such a task, they also needed to mimic false GPS information. The research was conducted in three phases:
“We first created a system that automatically creates multiple ‘fake’ android devices,” Partush explained to Wired.co.uk. “This was done by using an ‘Android Emulator’ — a computer program, supplied by Google for development purposes, that emulates a legitimate android device. We then built a control system, using scripting code, which allowed us to mimic interactive human input for all the emulated devices.
Waze GPS, Traffic Navigation and Maps Guided Tour – Mobile | WazeWaze
“We then used the system to install and login into the Waze application, by automating human operations required for creating an account. This provided us with an ‘army’ of fake Wazers (we called them ‘Wazer bots’), which we sent to a designated road to fake congestion in the Waze application. To send our ‘Wazer bots’ to the desired road, we created a small Android application of our own, simply called ‘TrafficJam’. ‘TrafficJam’ generated fake GPS coordinates, which were fed to the Waze application, making it think our bots are every-day Wazer users, driving about the designated road. Finally, we tuned ‘TrafficJam’ to generate GPS coordinates such that our army of Wazer bots would appear to be gradually slowing down at the designated route.”
This final stage was done experimentally, and was the most challenging part of the research for the team as they had to detect what traffic patterns were considered as congestion by Waze. “At that point, Waze reported the designated road to be congested, and offered a different route through campus when asked for a route”, concludes Partush.
Following the news of the hack, some individuals have been less than pleased, expressing concern over the moral ambiguity of potentially inconveniencing drivers.
However, a spokesperson for the university and Professor Yahav himself made it clear to Wired.co.uk that those who felt there were moral issues with the experiment had misunderstood their method:.
“First, let me assure you that there is no moral ambiguity in this project, and we have taken extreme care to make sure that no real Waze users are affected in a meaningful way: all of our experiments were limited to roads inside the campus. All of our experiments were limited to short periods of time,” explained Professor Yahav.
“We have notified Waze of our finding on 2 February, and got an official response on 5 February. We deliberately gave Waze more than 40 days to act on our findings before making them public. Further, a main aspect of the academic paper that we wrote on the topic is investigation of defense mechanisms against this kind of Sybil attacks, and we have shared the full paper with Waze on our initial contact with them.”
The attack was carried out in a completely automatic manner, required a low amount of resources, and involved no hacking of any kind into the Waze application or servers. Waze, now owned by Google after a $1.3 billion (£788 million) buyout last year, has acknowledged the university’s findings, stating it will look into the issue.