What happens when an app becomes so popular it’s basically a public utility? For a school project, Shir Yadid and Meital Ben-Sinai, fourth-year students at Technion-Israel Institute of Technology, hacked the incredibly popular Waze GPS map, an Israeli-made smartphone app that provides directions and alerts drivers to traffic and accidents. The students created a virtual traffic jam to show how malicious hackers might create a real one.
One of the ways that Waze learns about traffic problems is through reports from users. At its best, the app crowdsources road conditions from drivers, thus making everyone’s commute shorter. Waze was so popular that last summer Google bought it for $1 billion.
Here’s how the student attack worked. Yadid and Ben-Sinai created and registered thousands of fake Waze users, using a program that impersonated smartphones. Then those fake accounts used an application that gave false GPS coordinates to the app. This army of false users then submitted reports claiming to be stuck in traffic at the false coordinates.
What’s especially novel about this hack is that it didn’t alter infrastructure in any way. There was no wreckage added to the road, no interfering with traffic lights. Instead, it took an app so popular that people treat it like infrastructure and fooled it into thinking there was a problem.
After rerouting traffic with the fake jam, the students’ advisors informed Waze of the attack and how it was done, in hopes that Waze can prevent such attacks from happening again.