Tech-Savvy Stalkers Can Exploit Tile Tracking Tags, Study Finds
▼ Summary
– Tile trackers used by over 88 million people have security flaws that could allow stalkers or the manufacturer to track users’ locations, contradicting company privacy claims.
– Researchers found each tag broadcasts unencrypted MAC addresses and unique IDs, enabling nearby devices to track movements and potentially allowing Tile to conduct mass surveillance.
– Tile’s anti-stalking protection can be bypassed by enabling an anti-theft feature, and malicious actors could frame users by replaying device broadcasts to simulate stalking.
– Life360, Tile’s parent company, stopped communicating with researchers after receiving their report and provided vague responses about making unspecified improvements.
– The findings apply specifically to the Tile Mate model through reverse engineering, though Tile technology is embedded in products from companies like Dell, Bose, and Fitbit.
A new study reveals that Tile tracking devices, used by millions to find lost items, contain significant security vulnerabilities that could enable malicious actors to monitor users’ locations. Researchers from Georgia Institute of Technology discovered these popular Bluetooth trackers broadcast unencrypted identifying information, creating potential pathways for stalking and unauthorized surveillance.
The investigation identified that each Tile tag transmits its MAC address and unique identifier without encryption. These signals can be intercepted by nearby Bluetooth-enabled devices or radio-frequency antennas, allowing anyone with basic technical knowledge to follow the tag’s movement patterns. Even more concerning, this location data and identification information travels unencrypted to Tile’s servers, where researchers believe it remains stored in readable text. This storage method theoretically grants Tile, or anyone accessing their systems, the capacity to track tag owners’ whereabouts, despite company assurances to the contrary.
This architecture could facilitate mass surveillance capabilities, with potential implications for both corporate oversight and law enforcement access. The researchers emphasize that Tile’s parent company, Life360, could potentially monitor the movements of all 88 million Tile users worldwide.
Additionally, the study uncovered flaws in Tile’s anti-stalking safeguards. The protective features can be circumvented simply by activating an anti-theft mode available on the tags. Another concerning possibility involves false accusations: someone could record the unencrypted broadcasts from a person’s Tile device and replay them near another user, creating the illusion that the first individual is stalking the second.
The research team submitted their findings to Life360 several months ago, but reported that communication ceased earlier this year. When pressed for comment, the company provided a vague response mentioning “improvements” without detailing specific security enhancements.
While Tile sells standalone tracking tags, their technology also integrates into various products from major manufacturers including Dell, Bose, and Fitbit. The researchers focused specifically on reverse-engineering the Tile Mate model and its accompanying Android application, noting that their findings might not extend to all Tile products or third-party implementations.
Understanding Tile’s Tracking Mechanism
Tile devices function similarly to tracking products from Apple, Google, and Samsung but with distinct technical differences. These battery-powered tags use Bluetooth technology to communicate their position to the owner’s smartphone. People commonly attach them to valuable items like keys, luggage, electronics, or pet collars to maintain location awareness.
Each tag periodically broadcasts identifying information that changes over time. When an item goes missing, the owner can trigger an audible alert through the Tile application. For items beyond immediate range, the system leverages the collective network of other Tile users’ phones, which automatically detect and report nearby Tile signals. Since 2021, this network has expanded through integration with Amazon’s Sidewalk, allowing Ring cameras and Echo devices to also detect and report Tile tag locations, significantly expanding the tracking coverage area.
(Source: Wired)
