Tile Trackers’ Security Flaw Exposes Users to Stalking Risk
▼ Summary
– Tile trackers have serious security vulnerabilities that enable stalking by making tags invisible on the network and transmitting unencrypted data like unique IDs and MAC addresses.
– Security experts and the EFF have long criticized Tile for poor design choices, including not rotating MAC addresses and lacking encryption, unlike competitors.
– Researchers found that Tile only rotates unique IDs but not MAC addresses, allowing attackers to permanently fingerprint and track a device with a single intercepted message.
– Tile’s anti-stalking feature, “Scan and Secure,” can be bypassed by stalkers using anti-theft mode, which hides trackers and requires misuse penalties that are hard to enforce.
– Tile’s parent company, Life360, claims to have made improvements and collaborates with security programs but did not detail specific fixes or address encryption concerns.
A recently uncovered security flaw in Tile tracking devices raises significant concerns about user safety, potentially allowing malicious individuals to exploit the very technology designed for locating lost items. Security researchers have identified vulnerabilities that could enable stalkers to monitor someone’s movements using their own Tile tags, undermining privacy protections. According to an investigation detailed by Wired, Tile’s anti-theft mode, intended to conceal trackers from the Tile network, ironically weakens safeguards against unauthorized tracking. The problem extends further, with bad actors possibly intercepting unencrypted data broadcasts from these tags, including unique identifiers and MAC addresses, then using Bluetooth scanners or specialized antennas to follow a tag’s location.
Eva Galperin, cybersecurity director at the Electronic Frontier Foundation, has long warned about risks tied to Bluetooth trackers. She notes that Tile has been aware of these design shortcomings for some time. While Tile’s parent company, Life360, claims to have implemented “improvements” following researcher reports, specifics regarding encryption or other corrective steps remain undisclosed.
Tile trackers work by communicating with nearby smartphones, which relay a tag’s location, MAC address, and unique ID back to Tile’s servers. This system helps people find misplaced belongings like keys or wallets. Similar networks power Apple AirTags, Samsung SmartTags, and third-party devices compatible with Google’s Find My Device platform. However, researchers from the Georgia Institute of Technology discovered a critical difference in how Tile handles device identifiers. Unlike competitors that regularly rotate both unique IDs and MAC addresses to prevent long-term tracking, Tile only changes the unique ID, leaving the MAC address static. Akshaya Kumar, one of the researchers, explains that an attacker needs only one intercepted message to fingerprint a specific Tile tracker permanently.
Galperin emphasizes that such vulnerabilities highlight the importance of the Detecting Unwanted Location Trackers standard, which Google and Apple have adopted. This framework establishes baseline security practices for all Bluetooth tracker manufacturers, including frequent MAC address rotation and encrypted data transmission, measures Tile has yet to fully implement.
Another concern involves Tile’s “Scan and Secure” anti-stalking feature. Intended to help individuals detect unknown Tile trackers nearby, it can be bypassed if a tracker is placed in anti-theft mode. Although Tile requires users to submit photo identification and agree to a $1 million penalty for feature misuse, Galperin points out the inherent flaw: enforcement depends on the stalker being caught, which the technology itself may help avoid.
In response to inquiries, Life360 spokesperson Kristi Collura reiterated that tracking someone without consent violates company policy. She stated that Life360 participates in HackerOne to address security reports responsibly and has made several improvements since November. The company asserts it cooperates with law enforcement in cases of alleged tracker misuse and remains committed to member safety as Tile integrates into the broader Life360 platform.
(Source: The Verge)