Tile’s Lack of Encryption Puts Users at Risk of Stalking

Background

Bluetooth‑enabled tracking tags such as Tile are marketed as convenient tools for locating misplaced items like keys, wallets and bags. The devices transmit a unique identifier, a MAC address and location data to a network of nearby phones, which then relay the information to the company’s servers. Users can view the tag’s location via a mobile app. Similar systems are used by Apple’s AirTags, Samsung’s SmartTags and Google’s Find My Device network.

Research Findings

Researchers from the Georgia Institute of Technology reverse‑engineered the Tile app and discovered that Tile does not encrypt the data it sends. While many competitors rotate both the unique ID and MAC address to make tracking more difficult, Tile only switches the unique ID, leaving the MAC address constant. This allows an attacker to capture a single broadcast and then associate that MAC address with a specific tag for its entire lifespan.

The study also points out that Tile’s “anti‑theft” or “Scan and Secure” feature, which hides a tag from the Tile network, can be subverted. The feature requires a user to provide photo identification and agree to a $1 million fine if misused, but the underlying lack of encryption means a determined stalker could still monitor the tag’s signals.

Company Response

Life360, the parent company of Tile, responded by stating it had made a number of improvements since the researchers disclosed the issue. A spokesperson emphasized the company’s participation in the HackerOne bug‑bounty program and its commitment to collaborating with law enforcement when misuse is alleged. The statement reaffirmed that using a Tile to track someone without their knowledge violates the company’s terms of service.

Implications and Expert Commentary

Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation, has long warned about the privacy risks of Bluetooth trackers. She noted that Tile’s design choices make it a “bad actor” in this space, highlighting the need for standards such as rotating MAC addresses and encrypting transmissions.

The vulnerability underscores broader concerns about the ease with which malicious actors can exploit consumer‑grade location‑tracking devices. Without robust encryption and identifier rotation, these products can be repurposed for unwanted surveillance, potentially endangering vulnerable individuals.

Looking Ahead

The findings call for industry‑wide adoption of stronger security practices, including frequent rotation of both identifiers and end‑to‑end encryption of all data. As Bluetooth trackers become more ubiquitous, regulators, manufacturers and security researchers will need to collaborate to protect user privacy and prevent abuse.

Questo articolo è stato scritto con l'assistenza dell'IA.
News Factory SEO ti aiuta ad automatizzare i contenuti delle notizie per il tuo sito.