25th May 2018

Waze remote vulnerabilities (Technical Report)

Background


Waze is a community-based traffic and navigation App, which ranks Top 2 in the navigation category on the App Store. Once the App for iOS lunched, the App starts services on port 12345, 8776 for any connection and another safe port 55432 for localhost connection.

Details


Reverse engineering shows that the service on port 12345 receives and processes remote command message and a valid message should start with WL. There are 3 problems with this service.
1) The first one is that for any incoming message that starts with WL, Waze caches the message until the memory resource exhausted. This is not a practical attack, for the attacker should consume the same network traffic to crash the App remotely.
2) The second problem is that a message with format WL|msgID|msgSize|msg will be accepted by this App for next stage process. Some valid messages are listed below.

By sending randomly generated messages follow this format, we find that we can crash the App remotely.

3) The last and the most serious problem is that, after a few sequential interaction, we can use the message, which msgID is set to 48, to send touch event to manipulate the Waze App, make traffic jamsnavigate end-user to other place, showdown the navigation, for instance. PoC for this attack will be released until all end-users upgrade their Apps.

What makes the problem severely is that the service is provided for any connection, even if the App is working in cellular network. That means an attacker can probe the device using Waze in cellular network and access the device without authorization. An end-user depending on Waze for driving will lose service or be misled when a malformed message arrived.

Mitigation


In the binary of this App, we also find the build-in request 127.0.0.1:12345 for this service, it’s likely that the service is built for inner use, so, it’s redundant for this App to expose this service for any connection.

History


2018.6.20 Google confirmed this problem.

2018.6.4 Without acknowledgement, Waze removed the service on port 12345 to fix this problem in it’s last update, good job Waze!

2018.6.1 Video released.

2018.5.26 Contact Waze via email, twitter and website, but no response.