Tile, the popular Bluetooth tracking system used by over 88 million people worldwide, is facing serious privacy concerns after researchers uncovered a set of glaring security flaws in its technology. According to a report from Wired, researchers at Georgia Tech have found that Tile’s trackers can easily be tracked by just about anyone. It’s an oversight so massive, it essentially turns the company’s entire network into a global surveillance system.
A surprisingly major oversight
Encryption is key, but Tile trackers don’t use it
Every Tile tag repeatedly transmits two pieces of information over Bluetooth — a unique ID that rotates periodically, and the tag’s MAC address, which does not. Because the MAC address never changes and the data is sent in plain text, anyone with a phone or RF antenna can passively collect this information and track a tag’s movements indefinitely. And because Tile reportedly stores this data unencrypted on its servers, the company itself could potentially track users in real time, despite claiming it has no such ability.
Competitors like Apple, Google, and Samsung have already solved this problem by encrypting tag broadcasts and rotating identifiers so they can’t easily be linked back to a single person. Tile’s decision not to do this is baffling. As researcher Akshaya Kumar bluntly put it to Wired, “An attacker only needs to record one message from the device to fingerprint it for the rest of its lifetime.”
And it gets worse. Tile’s anti-stalking protections (which are already weaker than competitors’ because they require manual scans that last just 10 minutes) can be bypassed entirely if a stalker puts the tag in “anti-theft” mode. That feature, meant to make tags invisible to thieves, also makes them invisible to victims trying to detect unwanted trackers.
Researchers even demonstrated a “replay attack,” where someone could collect broadcasts from another user’s Tile and rebroadcast them elsewhere, effectively framing that person for stalking.
Life360, Tile’s parent company, has not detailed what fixes it has implemented since researchers disclosed the findings last November. Its only public comment was that it had “made a number of improvements,” but the company didn’t elaborate.
For a product designed to keep you connected to your stuff, this level of unencrypted tracking data is a stunning security failure. Until Tile encrypts its broadcasts and overhauls its anti-stalking features, users may be putting themselves at risk every time they clip a Tile tag to their keys or pet collar. In the meantime, there are multiple ways to check if you’re being followed by an unknown Bluetooth tracker.