Security Review: Uber

Imagine you’re suddenly all alone in a foreign city late at night. You don’t know where you are, you didn’t bring you wallet with you. You don’t see taxis, and few cars are passing by. You have limited Internet access. You would be better thinking about remote/online taxi ordering that works pretty much everywhere: like Uber.

Uber is an app-based transportation network and taxi company, which operates in many countries. Using a smartphone application, Uber would receive ride requests and then sends these trip requests to their drivers. On the other hand, customers use the app to request rides and track their reserved vehicle’s location. (wiki).

In order for the Uber service to function properly, it needs to collect information from passengers (also drivers) in advance, such as their current geo-locations, payment info, emails, and few more. Moreover, it needs to assign expected passengers to near available drivers accurately.

How Uber security works? Is it secure for both passengers and drivers? Rest of the this post we will try analyse the service from security and privacy prospective.

Main Security Objectives

  • The system should protect the user’s sensitive personal information, like geo-locations history, and payment info. Ensuring that users privacy is not violated.
  • Requested information from users must be valid and authenticated/authorized. Or at least, had an accuracy threshold. For instance, inaccurate capture of  an expected passenger location could lead to several issues, for all parties. The system must also ensure that such data cannot be corrupted or altered.
  • Ensure a safe trip for the passengers (and drivers). There should be a mutual trust between two parties depending on information stored and delivered by the system.

Threats, weaknesses and expected Adversaries

  • If an attacker successfully be able to read users data, he would then have access to a sufficient amount of sensitive user data, such as: payment info, trips history, locations like home or work). Which make such system an expected attack-target from thieves, or even fans or stalkers.
  • An inside worker would have enough capabilities to track a passenger movement in real-time, almost everywhere. Several news sources actually reported that Uber has a feature that enable to spy on passengers in-purpose.
  • How can passenger ensure that the driver is a legit Uber driver? If an attacker gained access to the system, he would be able to schedule pickups by himself for customers. Tech-blogs reported that a working Uber app for drivers has been leaked and disturbed for a while.
  • Users Safety is questionable. An online public system that arranges rides for people doesn’t sound “very” safe until security and safety is ensured. Uber, until recently, had fairly loose background check for their drivers before hiring them, which is mainly done online. it make it easier for them to overcome. Several incidents reported for sexual harassment by Uber drivers. Records shows that such drivers had a history not being known by Uber. On the other hand, drivers may also face similar safety-issues. For example, a female driver may find it insecure to respond to public request for pickup by some anonymous user in odd place, while such user can observe her name/photo and location online.
  • Ethical and Privacy Concerns. Uber, keeps customer data even if user decided to delete his account. Even their trips history is being recorded.

Protection and Defenses

  • Uber should do its best to encrypt the data, and store it securely to prevent data leakage. Furthermore, to reduce the potential damage of an information leak, Uber could store less precise history locations. An attacker then wouldn’t be able to find out exactly where a potential victim is at any time. Uber should delete old location data as soon as new data is received, making it less likely for large records to be leaked. To reduce risks, a user should have personal awareness to whom they share data/trips with.
  • Uber promises to deliver an App upgrade that would enable a customer’s friends or family members to automatically receive the driver’s picture and car details, as well as real-time feeds on the cab’s location, which regarded as a security-based feature.
  • Uber claims that they use GPS to track the cab. The users too know the whereabouts of their ride while waiting for it to arrive. But Uber doesn’t own the cabs in its fleet and doesn’t ensure that the vehicles have GPS installed. Thus, they only keep a tab on the cabs’ movement through the GPS on the driver’s phone and the Uber app. which is not enough. A Physical car GPS tracking should be enforced to ensure protection and monitoring.
  • Reports claimed that the company has started looking into technologies such as biometrics and voice recognition and methods such as polygraph testing to improve background checks and driver screening. An extra layer of security to authorize drivers to use the system.

Conclusion

Uber introduces an excellent platform that easy the process of finding a taxi or a drive with the convenience of requesting a ride using a smartphone app. But such convenience brings up a whole new level of security, privacy and safety issues. It is understandable that no service is perfect, but The company’s thrill of expanding quickly, offering services in 54 countries, might be the main reason for exposing such security threats for both tech and Bussines communities.