Waze Vulnerability
During our app vetting, we notice that, Waze, a community-based traffic and navigation app ranks top 2 in the navigation category on the App Store, has multiple security issues and exposes a significant attack surface for iOS Waze users. The attack works in both Wi-Fi and cellular network. In general, there are two categories of security issues.
1) Remote Manipulation of Waze. A remote adversary could manipulate iOS Waze app and deliver a number of commands such as resetting navigation destinations. The video demonstrates how an adversary can remotely manipulate three Waze apps on different iPhones simultaneously.
2) Remote Memory Corruption, including out-of-boundary (OOB) access and use-after-free (UAF), which could lead to a remote denial-of-service (DoS) attack for any iOS Waze user, or even a remote code execution (RCE) in the context of iOS Waze App. Among the numerous memory crashes, we post the following two figures, from which, you can find the instruction pointer register (%rip) already points to a heap address, resulting in a KERN_PROTECTION_FAILURE at 0x17046a580.
Vendor Response:
The infrastructure of KENWOOD and Waze, we buy the KENWOOD device from amazon for our study.