EXPLOITING SOCIAL NAVIGATION presented at BlackHatAsia 2015

by Nimrod Partush, Meital Ben Sinai, Shir Yadid,

Summary : We present two new attacks against social navigation services. These attacks are based on creating a large number of reputed "bot drivers," and controlling their reported locations and movements pattern using fake GPS reports. We show how these attacks can be used to compromise social navigation systems by applying them to Waze - a prominent social navigation application used by over 50 million drivers. The first attack allows us to compromise user privacy by tracking the location and movement of users at any location. This attack is facilitated by automatically interacting with the application, capturing screen data, and parsing it using OCR techniques to produce location information over time. The second attack can fake traffic jams and dramatically influence routing decisions. This attack effectively influences the unpublished server-side Waze routing algorithm and allows us to direct users to a particular route. When combined, these attacks can be used to influence the driving directions produced for a given user. We present several techniques for preventing the attacks, and show that effective mitigation likely requires the use of additional carrier information.