Researchers at the Georgia Institute of Technology have identified several design flaws in Tile's location trackers that could be exploited to stalk the device's owner.
Wired reported that Georgia Tech's Akshaya Kumar, Anna Raymaker, and Michael Specter discovered problems affecting both individual Tile devices and the methods those devices use to communicate with infrastructure managed by Tile owner Life360.
The trio "found that each tag broadcasts an unencrypted MAC address and unique ID that can be picked up by other Bluetooth devices or radio-frequency antennas in a tag's vicinity to track the movements of the tag and its owner," Wired reported.
Gathering that information is trivial and common. The New York Times reported in 2019 that retailers were using Bluetooth beacons to track people's movement through their stores, for example, and so-called "sniffers" are readily available to individuals. Such devices are even somewhat common in smart-home setups.
Those methods of collecting data about location trackers would also circumvent the safeguards Tile added to its devices in 2023. Those protections, which the company introduced after several high-profile incidents of location trackers being used by thieves, stalkers, and other criminals, apply only to the misuse of its products.
But that isn't what's happening here. Those safeguards are supposed to make it more difficult for a Tile owner to stalk someone by slipping a tracker into their bag, for example. However, those same safeguards cannot determine if the Tile is communicating with a seemingly innocuous Bluetooth device while it's still in the owner's possession.
That wasn't the only issue. Wired reported "the location of a tag, its MAC address, and unique ID also get sent unencrypted to Tile's servers, where the researchers believe this information is stored in cleartext, giving Tile the ability to track the location of tags and their owners, even though the company claims it does not have this capability."
The problem, of course, is the difference between claiming not to currently have this capability and ensuring that this capability won't be developed later. Encrypting this data wouldn't just protect it now; it would also ensure that historical data can't be misused by Life360, cybercriminals, or even government agencies in the future.
