Researchers from the University of California, Santa Barbara have uncovered a hacking technique that could allow bad actors to sabotage location-based mobile apps — including the maps and navigation app Waze — by simulating large number of mobile devices that don't actually exist.
According to a new report, hackers can use malicious “Sybil” scripts, which appear to application servers as “virtual mobile devices,” to overload mobile services with fake traffic, in what is for all intents and purposes a distributed denial of service (DDoS) attack.
Furthermore, by generating fake traffic, adversaries can also supply false data to location-based apps that rely on crowdsourced data from its active user base. In the case of Waze, the researchers were actually able to create imaginary traffic jams and road congestion on various highways, which theoretically could have caused the app to reroute genuine users on unwanted detours. (Researchers conducted these tests in the middle of the night and halted operations whenever a genuine user was within 10 miles of an affected area.)
If that weren't bad enough, hackers can even use these “virtual vehicles” to track other Waze users' movements in periods over time, or continuously in real time, stalking them as they drive without risking detection. This is accomplished by assigning virtual vehicles (aka ghost riders) in a given geographic area to constantly perform queries in search of a specific device's ID signature.
“One of our research team members drove around Hollywood… and we tracked him for about 28-30 minutes, just to make sure we could do this in a high density area,” Ben Zhao, a report author and professor of computer science at UC Santa Barbara, told SCMagazine.com.
Although Waze and other geo-location based apps use HTTPS to communicate with their respective apps' servers, an attacker can sometimes intercept traffic via a proxy server by what is essentially a man-in-the-middle attack. “You can basically eavesdrop on the communication between the app and the server by breaking the SSL connection between them,” Zhao said.
The report explains how the hacker would execute this technique:
“An attacker needs to pre-install the proxy server's root Certificate Authorities (CA) to her own phone as a trusted CA. This allows the proxy to present self-signed certificates to the phone claiming to be the Waze server,” the report said. “The Waze app on the phone will trust the proxy (since the certificate is signed by a “trusted CA”), and establish HTTPS connections with the proxy using proxy's public key. On the proxy side, the attacker can decrypt the traffic using proxy's private key, and then forward traffic from the phone to Waze server through a separate TLS/SSL channel. The proxy then observes traffic to the Waze servers and extracts the API calls from plain text traffic.”
While the researchers focused their attention on Waze, the report noted that hackers could easily pull off similar Sybil attacks to create havoc or perpetrate fraud on any number of location-based apps including FourSquare, Uber and Yik Yak — especially those that don't have strong user authentication measures.
Bad actors can also use emulators to impersonate a mobile device, but Sybils can cheaply and easily create attacks on a much larger scale, creating “tens of thousands of virtual devices,” warned Zhao.
To remedy this vulnerability, the researchers propose the use of collocation edges, which the report describes as “authenticated records that attest to the one-time physical proximity of a pair of mobile devices.” Sybil-created virtual devices do not have the ability to directly interact with genuine devices—“they can only interact indirectly via a small number of real devices operated by the attacker,” the report explains. This helps app-based service providers recognize genuine traffic while pinpointing fake device activity, minimizing its effect.
Security expert Tyler Cohen Wood, a former Defense Intelligence Agency (DIA) senior intelligence officer and cyber deputy decision chief, told SCMagazine.com in a written statement that this latest research “underscores the inherent risk that apps can contain. It's likely that many common, well-known and often used apps contain code that can expose consumers to privacy concerns when reverse engineered or hacked.”
Wood, now the cybersecurity adviser for Inspired eLearning, added that “it is critical to always read the terms of service which will tell you what data is collected, and to make sure you know what access the apps you use have to other areas of your mobile device such as text messages, contact lists, photos, microphone and more. Also, be sure to customize the app settings to turn off unwanted access."
SCMagazine.com has reached out to Waze's parent company Google and will update the story upon its response.