Tile exploit could let stalkers follow you with your own tracker — Bluetooth broadcasting flaw is relatively simple to exploit, researchers discover
Long in the Bluetooth.
Researchers at the Georgia Institute of Technology have identified several design flaws in Tile's location trackers that could be exploited to stalk the device's owner.
Wired reported that Georgia Tech's Akshaya Kumar, Anna Raymaker, and Michael Specter discovered problems affecting both individual Tile devices and the methods those devices use to communicate with infrastructure managed by Tile owner Life360.
The trio "found that each tag broadcasts an unencrypted MAC address and unique ID that can be picked up by other Bluetooth devices or radio-frequency antennas in a tag's vicinity to track the movements of the tag and its owner," Wired reported.
Gathering that information is trivial and common. The New York Times reported in 2019 that retailers were using Bluetooth beacons to track people's movement through their stores, for example, and so-called "sniffers" are readily available to individuals. Such devices are even somewhat common in smart-home setups.
Those methods of collecting data about location trackers would also circumvent the safeguards Tile added to its devices in 2023. Those protections, which the company introduced after several high-profile incidents of location trackers being used by thieves, stalkers, and other criminals, apply only to the misuse of its products.
But that isn't what's happening here. Those safeguards are supposed to make it more difficult for a Tile owner to stalk someone by slipping a tracker into their bag, for example. However, those same safeguards cannot determine if the Tile is communicating with a seemingly innocuous Bluetooth device while it's still in the owner's possession.
That wasn't the only issue. Wired reported "the location of a tag, its MAC address, and unique ID also get sent unencrypted to Tile's servers, where the researchers believe this information is stored in cleartext, giving Tile the ability to track the location of tags and their owners, even though the company claims it does not have this capability."
Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.
The problem, of course, is the difference between claiming not to currently have this capability and ensuring that this capability won't be developed later. Encrypting this data wouldn't just protect it now; it would also ensure that historical data can't be misused by Life360, cybercriminals, or even government agencies in the future.
Nathaniel Mott is a freelance news and features writer for Tom's Hardware US, covering breaking news, security, and the silliest aspects of the tech industry.
-
nylar357 https://blogger.googleusercontent.com/img/a/AVvXsEgGtGaZWl1oVb9e-rAsZvxkqOJIBaOQ8r4MJSi6cqfoTztHZHn1HTtRTC7vnpah4lCfHI78zAiZvgHFQ2mlC3PAE0AgimbjVBeIW355r5ruFLGbwYQN0lsb2Ghq7Ta00zW86mMYrvn6q-CLb_h9Krf9p8vUCBsHVAoExuymXo18ZpjZ8Ca8Zup_URhfhLSAReply
Here's just a few of my tools that can easily be adapted to sniff, track, and hack Bluetooth. All available on Amazon for less than 40$
It's much easier than most people imagine. Ovens, Fridges, Toothbrushes, and other IoT devices with Bluetooth are particularly vulnerable in a lot of cases. The only brand I've "audited" and found to be reliably secure is the Phillips family of LED bulbs and mood lighting. They're pricey, but that's because they're reliable tech, and very very well made both hardware and software wise.
Bluefruit NRF52 Microcontroller
Nordic NRF528 Dongle
M5StickC+2 w/ NRF24 & CC1101 radio modules and specialty firmware