Figure 1. Video of working Uber GPS hack.
DISCLAIMER:
This white hat hack is for educational purposes only.
PURPOSE:
To demonstrate the need for immediate changes to Uber’s GPS tracking and validation programming.
TYPE:
White Hat
WHAT IS NEEDED:
- Rooted Android phone with:
- Uber Driver app installed (hacked copy required for long term use)
- GPS spoofing app installed
- A cellular data plan
- Non-jailbroken iPhone with:
- Uber Driver app installed
- A cellular data plan
BRIEF:
This hack spoofs GPS through exploitation of Uber’s lack of proper root check handling and per device account reset feature. Currently, when an Uber Driver is logged in using an Android device, the Uber Driver app checks whether root privileges are granted. The root check is accomplished using the Google Maps app, which detects if the Android device is rooted (or whether the user has full admin control of the device1).
Before I was able to complete my hack of the Android Uber Driver app, I discovered that the Google Maps app is what relays to the Uber Driver app whether the device is rooted. It was at that point that the Uber Driver account becomes frozen (following a slow build up of occasional pop-up error messages from the Google Maps app). However, to undo this ‘freeze’, simply log on to your Uber Driver account using a non-jailbroken IOS device and your Uber Driver account is instantaneously reset for you to continue spoofing along.
As a side note, to avoid the Google Maps pop-ups there are workarounds. Also, until you hack the Android Uber Driver app, you run the risk of a permanent lockout but this may take a matter of weeks. All methods exploit the same weakness which is founded in the same initial hole that the Uber app leaves open: an app playing location games that doesn’t actually know where you are (and lets too many people see things they shouldn’t be able to see).
SYSTEMS EFFECTED:
- Uber app
- Uber self-driving vehicles (please contact me for more information about this)
SAFETY CONCERN(S):
Life, limb, and property; to include: Driver, Rider, and Uber self-driving vehicle(s).
Through spoofing, one party may furnish a false location. Having the ability to employ false GPS opens the way for legal exposure for Uber as well as liability for any party who chooses to use the Uber service. Here are some examples of what one may do using this hack:
- An Uber Driver, may falsely change their GPS to a location where a surge is taking place thus adding the surge rate to the Driver’s account (see Figure 1). Additionally, upon the next fare request, the Uber Driver – while still not moving – may falsely arrive “on-scene”, pretend the Rider failed to board the vehicle, thus getting the “no-show” fee as well as the surge rate.
- An Uber Rider, may request an Uber self-driving vehicle. Once the self-driving vehicle arrives, the Rider may activate false GPS, and guide the self-driving vehicle to a chop shop and take possession of the self-driving vehicle while reporting back to Uber that the vehicle is traveling as it should be.
- An Uber Driver, may pick up a Rider, activate false GPS and take the Rider to a different location than what is on the waybill. The Uber Driver may feed false location(s) to the Uber app, letting the Uber app record the occupants are heading to the correct location.
In these examples (above), we have theft of money, theft of a vehicle, and kidnapping. Obviously, there are other crimes which may be carried out using this hack. For example, utilizing Uber self-driving vehicles to coordinate a terrorist attack to transport any number of payloads. Just these few examples raise enough concern for this matter to be an issue of public concern for any and/or all parties utilizing the Uber service.
PATCH:
The following measures should be taken:
- Upon actual confirmation, through detection (like what is already in place), of a rooted device, Uber Driver app should freeze the given user account until such time as a complete Blue Team investigation may take place.
- Uber should not allow user accounts to become automatically unfrozen.
- Do not allow users to reset their own accounts (especially by simply switching device platforms).
- Modify relational policy regarding activity behavior patterns to include more conservative assumptions.
- Require Rider to also confirm each phase of the ride process (arrival, enroute, completed, as well as other safety features) thereby diversifying the one party control of the transaction.
- Driver-to-Rider relational comparison model implementation.
- Employ use of the Determinative Ambulatory Location Algorithm (DALA) in combination with several policy adjustments to current GPS validation techniques.
Additional recommendations include:
- Followup, address, and amicably resolve ALL feedback received from Drivers through affiliate surveys and other forms of communication (this would have solved this issue when it was still a theory).
- Establishment of a real reward program2 to enable ANYONE to bring a bug/hack to Uber’s attention (like what Microsoft has3).
Regarding the technical aspects of DALA, samples of this algorithmic solution may be requested using my CONTACT ME page.
CONCLUSION:
This white hat hack was to demonstrate the need for immediate changes to Uber’s GPS tracking and validation programming. Uber has been placed on notice regarding their software having this (as well as many other) issue(s). Uber’s Bug Bounty Program precludes participation through their own language which leaves no real white hat outlet. This hack is completely avoidable and Uber should take measures to immediately repair this. Uber has not responded to my communications regarding my concerns about this issue.
Footnotes
- Bullguard.com. (n.d.). The risks of rooting your Android phone – BullGuard. Retrieved June 5, 2019, from https://www.bullguard.com/bullguard-security-center/mobile-security/mobile-threats/android-rooting-risks.aspx
- Hackerone.com. (n.d.). Uber Bug Bounty Program. Retrieved June 5, 2019, from https://hackerone.com/uber
- Microsoft. (n.d.). Microsoft Bug Bounty Program. Retrieved June 16, 2019, from https://www.microsoft.com/en-us/msrc/bounty