Summary
- Tile tags broadcast an unencrypted static MAC and ID, letting anyone with RF gear track you.
- Tile network sends tag location, MAC, and ID unencrypted to servers, enabling mass surveillance.
- Tile’s anti-stalking is weak: manual scans only and Anti-Theft Mode can hide a tracker from detection.
The biggest problem with trackers is how easy they are to use by stalkers. So when stalkers can use your own trackers, that’s a problem. And that appears to be what’s happening to Tile trackers right now. Yikes.
Tile trackers apparently have significant security and privacy flaws that could allow stalkers, and even the company itself, to track users’ locations, according to a new report from researchers at the Georgia Institute of Technology. The findings contradict claims made by Tile’s parent company, Life360, about the security of its network.
The research team—comprised of Akshaya Kumar, Anna Raymaker, and Michael Specter—discovered that each Tile tag broadcasts an unencrypted, static MAC address along with a unique ID. This combination allows anyone with basic radio-frequency equipment to intercept the signal and track the physical movement of the tag, and by extension, its owner, over time. The unique ID rotates periodically, but because the MAC address remains constant, it serves as a permanent fingerprint for the device.
This vulnerability extends more than just localized tracking. The researchers found that when the location of a Tile tag is picked up by the broader network of users’ phones or Amazon Sidewalk devices, this data—including the tag’s location, MAC address, and unique ID—is sent unencrypted to Tile’s servers. The paper says that this information is likely stored in plaintext, giving Tile the ability to conduct “mass surveillance” on its user base. We’re not saying this is happening, we’re just saying there’s a non-zero chance it is.
The report also details pretty bad failures in Tile’s anti-stalking features. Tile’s “Scan and Secure” system, designed to detect unknown tags traveling with a user, is deeply flawed. Unlike systems from Apple or Samsung that run continuous, automatic background scans, Tile requires a user to manually initiate a 10-minute scan while moving. This makes detection sporadic and reliant on user diligence.
And perhaps more alarmingly, this already weak protection can be completely disabled by a stalker using Tile’s “Anti-Theft Mode.” When a tag owner enables this mode, their device becomes invisible to “Scan and Secure” searches. A stalker could simply activate this feature on a hidden tag, rendering their victim blind to the device tracking them. While Tile requires users to submit a government-issued ID to activate the mode and agree to a potential $1 million fine if convicted of stalking, the researchers note the feature creates a dangerous loophole that other manufacturers have deliberately avoided.
The Georgia Tech team disclosed their findings to Life360 in November of last year, but they report that the company ceased communication in February. We’re not sure if this will actually result in changes, but in the meantime, you might want to avoid Tile trackers now that all of this is public information.
Source: Wired via Engadget