Exploiting Social Navigation

Presented at Black Hat Asia 2015, Unknown date/time (Unknown duration)

We present two new attacks against social navigation services. These attacks are based on creating a large number of reputed "bot drivers," and controlling their reported locations and movements pattern using fake GPS reports. We show how these attacks can be used to compromise social navigation systems by applying them to Waze - a prominent social navigation application used by over 50 million drivers.

The first attack allows us to compromise user privacy by tracking the location and movement of users at any location. This attack is facilitated by automatically interacting with the application, capturing screen data, and parsing it using OCR techniques to produce location information over time.

The second attack can fake traffic jams and dramatically influence routing decisions. This attack effectively influences the unpublished server-side Waze routing algorithm and allows us to direct users to a particular route.

When combined, these attacks can be used to influence the driving directions produced for a given user.

We present several techniques for preventing the attacks, and show that effective mitigation likely requires the use of additional carrier information.

Presenters:

• Shir Yadid - Technion IIT
  Shir Yadid, currently a MSc student in Computer Science, graduated cum laude with a BSc degree in Software Engineering from the Technion Israel Institute of Technology. She is interested in Program Analysis, Program Synthesis and Security. Her thesis involves the use of Big Data techniques to better understand code from a statistical point of view. The 'Exploiting Social Navigation' work, started as her senior year project and was the driving force behind her decision to start MSc studies.
• Meital Ben Sinai - Technion IIT
  Meital Ben Sinai is currently a MSc student in Computer Science with interests in Program Analysis, Natural languages processing and Security. The topic of her thesis is "Code Similarity via Natural Language Descriptions" which address the question of similarity between code snippets from different programming languages via natural language techniques. Meital has been passionate about Android's security since she got her first Android phone in 2009. This passion inspired the work "Exploiting Social Navigation" towards its success.
• Nimrod Partush - Technion IIT
  Nimrod Partush is currently pursuing a PhD in Computer Science with interests in Program Analysis and Security. The topic of his thesis is "Differential Program Analysis" which involves automatically analyzing program versions to differentiate behaviors. This has implications toward program patching and exploit generation. Background and interest in application and mobile security inspired the 'Exploiting Social Navigation' work, with more to come.

Links:

• https://www.blackhat.com/asia-15/briefings.html#Partush
• https://www.youtube.com/watch?v=ooExs8FJUK4
• https://www.blackhat.com/docs/asia-15/materials/asia-15-Partush-Exploiting-Social-Navigation.pdf
• https://www.blackhat.com/docs/asia-15/materials/asia-15-Partush-Exploiting-Social-Navigation-wp.pdf

Similar Presentations:

• DEF CON 17 (2009) / A Low Cost Spying Quadrotor for Global security Applications Using Hacked Commercial Digital Camera