Tile Tracking Tags Can Be Exploited by Tech-Savvy Stalkers, Researchers Say

Tile trackers, used to find everything from mislaid keys to stolen pets, are utilized by more than 88 cardinal group worldwide, according to Tile’s genitor company, Life360. But researchers who examined nan search exertion person recovered creation flaws that would fto stalkers—or perchance nan shaper itself—track nan location of Tile users and their devices, contrary to claims nan institution has made astir nan information and privateness of its devices.

The researchers—Akshaya Kumar, Anna Raymaker, and Michael Specter of Georgia Institute of Technology—found that each tag broadcasts an unencrypted MAC reside and unsocial ID that tin beryllium picked up by different Bluetooth devices aliases radio-frequency antennas successful a tag’s vicinity to way nan movements of nan tag and its owner. The location of a tag, its MAC address, and unsocial ID besides get sent unencrypted to Tile’s servers, wherever nan researchers judge this accusation is stored successful cleartext, giving Tile nan expertise to way nan location of tags and their owners, moreover though nan institution claims it does not person this capability.

The researchers opportunity this would springiness Tile nan expertise to behaviour “mass surveillance” connected its users and perchance supply that accusation to rule enforcement and others.

The researchers besides recovered that Tile’s anti-stalking protection tin beryllium easy undermined if a stalker enables an anti-theft characteristic that Tile offers pinch its tags. Additionally, personification could falsely framework a Tile proprietor for stalking by signaling nan unencrypted broadcasts their Tile instrumentality makes and replaying these broadcasts successful nan vicinity of different Tile user, making it look for illustration nan erstwhile is stalking nan latter.

The researchers reported their findings to Tile’s genitor company, Life360, past November, but they opportunity nan institution stopped communicating pinch them successful February. WIRED sent Life360 an email asking for a consequence to nan issues raised by nan researchers, but a spokesperson sent a reply that did not explicitly reside nan problems. The email said only that nan institution had “made a number of improvements” since receiving nan researchers’ report, without specifying what those were.

Tile sells stand-alone tags, but its search exertion is besides embedded successful laptops, headphones, smartwatches, and different products made by companies for illustration Dell, Bose, and Fitbit. The researchers reverse engineered Tile’s protocol and Android mobile app utilized pinch nan Tile Mate, nan company’s astir celebrated locator tag. They opportunity their findings whitethorn not use to different models of Tile tags aliases nan Tile exertion utilized successful products made by 3rd parties.

How Tile Tags Work

Tile trackers run likewise to search tags made by Apple, Google, and Samsung. But Tile’s strategy differs successful important ways. Like nan others, Tile tags are battery-powered and usage Bluetooth to broadcast their location to a user’s phone. Users tin gaffe a tag into a briefcase, luggage, aliases vehicle, aliases connect it to keys, a phone, laptop, aliases moreover a pet collar to way nan location of these items.

Each Tile tag broadcasts nan tag’s MAC reside and a unsocial ID, which changes periodically. If an point paired pinch nan tag goes missing nan owner, utilizing their Tile app, tin instruct nan tag to emit a sound to find it. For items farther away, nan strategy relies connected nan web of phones belonging to different Tile users. These besides prime up nan broadcast of immoderate Tile instrumentality adjacent them. And since 2021, Ring cameras, Echo devices, and Tile tags person been integrated into Amazon’s Sidewalk network, meaning Ring and Echo devices tin prime up nan location of Tile tags arsenic well.