Waze is a community-based traffic and navigation App, which ranks Top 2 in the navigation category on the App Store. Once the App for iOS lunched, the App starts services on port 12345, 8776 for any connection and another safe port 55432 for localhost connection.
Reverse engineering shows that the service on port 12345 receives and processes remote command message and a valid message should start with
WL. There are 3 problems with this service.
1) The first one is that for any incoming message that starts with
WL, Waze caches the message until the memory resource exhausted. This is not a practical attack, for the attacker should consume the same network traffic to crash the App remotely.
2) The second problem is that a message with format
WL|msgID|msgSize|msg will be accepted by this App for next stage process. Some valid messages are listed below.
By sending randomly generated messages follow this format, we find that we can crash the App remotely.
3) The last and the most serious problem is that, after a few sequential interaction, we can use the message, which
msgID is set to 48, to send touch event to manipulate the Waze App, make traffic jams, navigate end-user to other place, showdown the navigation, for instance. PoC for this attack will be released until all end-users upgrade their Apps.
What makes the problem severely is that the service is provided for any connection, even if the App is working in cellular network. That means an attacker can probe the device using Waze in cellular network and access the device without authorization. An end-user depending on Waze for driving will lose service or be misled when a malformed message arrived.
In the binary of this App, we also find the build-in request
127.0.0.1:12345 for this service, it’s likely that the service is built for inner use, so, it’s redundant for this App to expose this service for any connection.
2018.6.20 Google confirmed this problem.
2018.6.4 Without acknowledgement, Waze removed the service on port 12345 to fix this problem in it’s last update, good job Waze!
2018.6.1 Video released.
2018.5.26 Contact Waze via email, twitter and website, but no response.