A security researcher discovered a hidden, unreleased feature in the Waymo app that allowed customization of the robotaxi's top display. Jane Manchun Wong, known for her advanced Android knowledge, managed to display characters of her choice, including her handle and other strings, on the self-driving Jaguar I-Pace's dome. The feature was not intended for public use and was likely a testing or debugging function not validated by Waymo's servers.
Wong shared her discovery on X, posting an image that showcased the customized dome display. Her ability to manipulate the display was achieved through tinkering with the Waymo mobile app on her Android phone. The revelation prompted Waymo to update the app swiftly, preventing further alterations by users.
“I hacked my Waymo into showing weird texts like empty string, ‘wongmjane,’ and emojis as the Car ID, pls don’t ban me or patch it @waymo lol,” – Jane Manchun Wong
Waymo spokesperson Sandy Karp confirmed that Wong had indeed stumbled upon an unreleased feature and that the company promptly shut it down. The incident highlights how Wong's expertise enabled her to access a feature that was not secured against non-employee manipulation.
“Jane identified an unreleased feature given her advanced Android knowledge,” – Sandy Karp
The capability to customize the Car ID on the dome was unintentional and not part of Waymo's standard offerings to riders. As a result, Waymo has since restricted access to these features to prevent similar occurrences in the future.
“We have restricted access to the dome display features,” – Sandy Karp
Wong attributed her success in unlocking this feature to her deep understanding of Android systems. She noted how Waymo's servers failed to validate input from non-employees, allowing her to make modifications without official access.
“The good old magic of messing around with the Waymo mobile app. I guess their servers didn’t validate the input for the Car ID from non-employees,” – Jane Manchun Wong
In 2020, Waymo had enhanced its vehicles with moving LEDs on the dome, adding to the functionality of this top display. However, this recent incident points to potential vulnerabilities in app features that require further attention from developers.
Leave a Reply