31st May 2018

Waze remote vulnerabilities (Advisory)

Background


During our regular App auditing, we noticed that, Waze, a community-based traffic and navigation App ranking Top 2 in the navigation category on the App Store, has multiple security issues and poses a significant attack surface for Waze users on iOS platforms. We tried to contact Waze via email and twitter many times but got no response.

In general, there are two categories of security issues.

1) Remote Memory Corruption, including out-of-boundary (OOB) access and use-after-free (UAF), which could lead to a remote denial-of-service (DoS) attack for any Waze user, or even a remote code execution in the context of Waze App. Among the numerous memory crashes, we post the following two figures, from which, you can find the instruction pointer register (%rip) already points to a heap address, resulting in a KERN_PROTECTION_FAILURE at 0x17046a580.

 

2) Remote Manipulation of Waze. A remote user could manipulate any Waze app and deliver a number of operations such as resetting navigation destinations. The video below demonstrates how a computer can remotely manipulate three Waze apps on different iPhones simultaneously.

About Us


In 2014, Pangu Team (@panguteam) founded PWNZEN InfoTech Co., LTD, a startup company at Shanghai, China, and expanded its research team to the Pangu Lab, with more general research interests from iOS jailbreaking, to IoT security, App security auditing, Android security, etc.

Contact us


For Waze team, please email to bugs#pwnzen.com (‘#’ -> ‘@’) for the details of issues.
If you are interested in our services, please email to info#pwnzen.com (‘#’ -> ‘@’)