Your Tracker Could Secretly Helping Strangers Follow You
Read in other languages:
Bluetooth trackers and smart tags have become indispensable for many. They are small, effective tools for keeping tabs on belongings, pets, and even vehicles. But their open nature and reliance on connected networks can also introduce serious vulnerabilities. A research has uncovered potential flaws in Tile smart tags that could be exploited by attackers to stalk or spy on individuals.
Tile is a popular alternative to Apple AirTags (review) and Samsung Galaxy SmartTag (review). These trackers come in various forms, work across most ecosystems, and are generally more affordable. However, their maker Life360 has faced criticism in the past for mishandling user privacy through its app. While some of these concerns have been addressed in recent years, it appears the company is not entirely in the clear.
Tile Devices Could Expose Your Location to Attackers
As reported by Wired, researchers from Georgia Institute of Technology have discovered serious privacy flaws in Life360’s Tile Bluetooth trackers. The most critical issue relates to how these devices handle data during crowd-sourced location tracking.
Accordingly, Tile tags broadcast an unencrypted ID and MAC address, which can be picked up by other Bluetooth devices and radio-frequency antennas nearby. This allows anyone with technical knowledge to intercept and analyze the data to track the tag and its owner.
While this may seem harmless to everyday users, bad actors could exploit the flaw to target individuals and monitor their movements without consent.
The researchers also uncovered a more troubling aspect of the vulnerability. According to their findings, an attacker only needs to record a single transmission from a Tile device. Even if the device stops broadcasting its ID and MAC address, it can still be tracked. This is because Tile’s rotating IDs are predictable, allowing future codes to be derived from past ones.
Another concern is that the IDs and MAC addresses sent to Tile’s servers are in readable format. This could allow the company or someone with internal access to forcibly track a tag and its owner. Worse, this access could be used to disable the unwanted tracking alert feature, which is designed to notify users when a tracker is traveling with them without their knowledge.
Has Tile Fixed the Security Flaws?
Life360 was reportedly made aware of these issues in November last year but stopped communicating with the research team by February. When Wired reached out to the company, a spokesperson said updates had been rolled out to address the vulnerabilities. However, it remains unclear whether all flaws have been fully resolved.
Do you own a Tile Bluetooth tracker or tag? What are your thoughts on this research and the privacy risks it reveals? Share your insights in the comments.
