Google Refutes Claim That Hackers Can Stalk Waze Users
Ashley Allen / 3 years ago
Google has spoken out against claims that hackers are able to stalk users of its Waze GPS navigation system, branding the accusations “severe misconceptions,” and explaining in detail how the app collects, stores, and delivers user data.
On Tuesday, an article from Kashmir Hill of Fusion revealed that University of California-Santa Barbara researchers had found that a vulnerability within the Waze app that allowed them to create fake “ghost drivers” that can then monitor and track Waze users in their vicinity, one of which was Hill herself.
“Here’s how the exploit works,” Hill writes. “Waze’s servers communicate with phones using an SSL encrypted connection, a security precaution meant to ensure that Waze’s computers are really talking to a Waze app on someone’s smartphone. [Ben] Zhao [professor of computer science at UC-Santa Barbara] and his graduate students discovered they could intercept that communication by getting the phone to accept their own computer as a go-between in the connection.”
“Once in between the phone and the Waze servers, they could reverse-engineer the Waze protocol, learning the language that the Waze app uses to talk to Waze’s back-end app servers,” she added. “With that knowledge in hand, the team was able to write a program that issued commands directly to Waze servers, allowing the researchers to populate the Waze system with thousands of “ghost cars”—cars that could cause a fake traffic jam or, because Waze is a social app where drivers broadcast their locations, monitor all the drivers around them.”
In a blog post yesterday, though, Google refuted the idea that Waze users can be stalked in such a manner, assuring users that “user accounts were not compromised, there was no server breach and Waze account data is safe.”
The post goes on to detail how the system operates, stressing that strangers cannot find and follow other users on Waze, and that the examples used by the researchers were misleading since the people they followed were known by the researchers and that they had consented to their location and username being tracked.
“Nothing is more important than the relationships we’ve built with our drivers,” the Google post concludes, “and we look forward to continuing to build our global community in open conversation with all of you.”