Security researchers have uncovered a major vulnerability in Tile’s tracking devices that could allow stalkers to monitor victims without their knowledge. According to a detailed report by Wired, Tile’s anti-theft mode, which is designed to make trackers “invisible” on the company’s network, also bypasses safeguards meant to prevent unwanted tracking.
Researchers found that data sent from the devices, including unique IDs and MAC addresses, is transmitted without encryption. This means that bad actors could potentially intercept the signals with Bluetooth devices or antennas and track someone’s movements over time.
Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation (EFF), has long raised concerns about the risks associated with Bluetooth-enabled trackers. “Tile has, historically, been a bad actor in this space in the sense that they have known about all of these problems with their design choices,” Galperin said.
Tile responded by saying it had made “improvements” since the issues were reported, but the company did not provide details or confirm whether encryption had been introduced.
How trackers work and why Tile is different
Tracking tags such as those from Tile, Apple, Samsung, and Google work by sending signals to nearby smartphones. These phones then relay information, such as location, MAC addresses, and unique IDs, to the company’s database, making it easier to locate lost items, including keys, wallets, or purses.
Apple’s AirTags and Samsung’s SmartTags have built-in security measures that frequently change unique IDs and MAC addresses to make it harder for outsiders to follow a tag. Google’s Find My Device network powers similar protections for third-party brands, including Chipolo, Pebblebee, and Motorola.
However, researchers Akshaya Kumar, Anna Raymaker, and Michael Specter of the Georgia Institute of Technology discovered that Tile only rotates the unique ID but not the MAC address. This enables the linking of a tag’s MAC address to a specific device indefinitely. “An attacker only needs to record one message from the device … to fingerprint it for the rest of its lifetime,” Kumar told Wired.
Galperin noted that the EFF has been advocating for industry-wide standards to mitigate such risks, collaborating with Google and Apple on a framework called Detecting Unwanted Location Trackers. “One of them is frequently rotating your goddamn MAC address and sending information encrypted, instead of in the clear,” she said.
Anti-theft mode under scrutiny
Tile’s “Scan and Secure” tool, designed to alert users if an unknown Tile is nearby, is also easily circumvented by the anti-theft feature. When activated, this mode hides the tracker from the Tile network, making it impossible for potential victims to detect.
Tile requires users to provide a photo ID and accept a $1 million fine if convicted of misuse before enabling the feature. Yet experts argue this safeguard is ineffective, as stalkers are unlikely to be caught if the technology itself prevents detection. “The stalker has to be caught, and they [Tile] have just provided the technology to make sure that wouldn’t happen,” Galperin said.
Responding to Wired, Kristi Collura, a spokesperson for Tile’s parent company Life360, said the firm has taken steps to improve safety. “Using a Tile to track someone’s location without their knowledge is never okay and is against our terms of service,” she said.
Life360 stated that it collaborates with the HackerOne programme to address security issues, works with law enforcement in rare cases of misuse, and focuses on enhancing the security of its broader platform.
