Security Flaws in Tile Trackers Allow Potential Mass Surveillance and Stalking, Researchers Warn
In a recent study conducted by researchers from Georgia Institute of Technology, it has been revealed that popular tracking devices, such as Tile trackers used for locating lost items like keys or pets, are susceptible to design flaws that could potentially enable stalking or surveillance.
The research team, comprising Akshaya Kumar, Anna Raymaker, and Michael Specter, discovered that each Tile tag emits an unencrypted MAC address and unique ID, which can be intercepted by other Bluetooth devices or radio-frequency antennas within its proximity to trace the movements of both the tag and its owner.
Moreover, the location data, MAC addresses, and unique IDs of these tags are also transmitted in an unencrypted format to Tile’s servers, which the researchers believe could be stored in plain text. This would grant Tile the capability to track not only the locations of their tags but also their owners, contrary to the company’s claims regarding the security and privacy of its devices.
The researchers warn that this vulnerability could lead to “mass surveillance” on users, potentially providing such information to law enforcement agencies or other parties. Furthermore, the study revealed that Tile’s anti-stalking protection can be circumvented if a stalker enables an anti-theft feature offered with Tile tags.
Additionally, someone could falsely implicate a Tile user for stalking by recording and replaying the unencrypted broadcasts made by their device near another Tile user, creating the illusion that the former is following the latter.
The researchers initially reported their findings to Life360, Tile’s parent company, in November 2021. However, communication ceased between the parties in February this year. When WIRED reached out to Life360 seeking a response to the issues raised by the researchers, the company only acknowledged that improvements have been made since receiving their report without specifying the nature of these enhancements.
Tile offers standalone tags and its tracking technology is also integrated into various products such as laptops, headphones, smartwatches, and other devices from companies like Dell, Bose, and Fitbit. The researchers focused on reverse engineering Tile’s protocol and Android mobile app associated with the Tile Mate, the company’s most popular tracker tag. It should be noted that these findings may not apply to all models of Tile tags or the Tile technology used in products manufactured by third parties.
Tile trackers operate similarly to tracking devices produced by tech giants like Apple, Google, and Samsung. Each Tile tag broadcasts its MAC address and a unique ID, which changes periodically. Users can attach these tags to various items such as keys, phones, laptops, or even pet collars for location tracking.
When an item linked with the tag goes missing, the owner, using their Tile app, can direct the tag to emit a sound to locate it. For items that are far away, the system relies on the network of phones belonging to other Tile users. These devices also pick up the broadcasts from any nearby Tile devices. Since 2021, Ring cameras, Echo devices, and Tile tags have been integrated into Amazon’s Sidewalk network, enabling Ring and Echo devices to track the locations of Tile tags as well.
