Rita El Khoury / Android Authority
TL;DR
- Significant security flaws have been discovered in Tile’s trackers.
- Researchers found that the tags broadcast an unencrypted MAC address and unique ID that other Bluetooth devices and antennas can pick up and track.
- The trackers also send unencrypted data to Tile’s servers, which the company could use to track the tags of owners.
When you use a Bluetooth tracker, like Tile, you’re typically concerned about locating misplaced items. But maybe you should be more concerned about strangers tracking you. Researchers at the Georgia Institute of Technology have identified a few major security flaws in Tile trackers that stalkers could exploit to track your whereabouts.
Don’t want to miss the best from Android Authority?
According to a report from Wired, Akshaya Kumar, Anna Raymaker, and Michael Specter of Georgia Tech discovered security flaws affecting individual Tile trackers. The issue in question relates to how the trackers relay data during use. These researchers “found that each tag broadcasts an unencrypted MAC address and unique ID that can be picked up by other Bluetooth devices or radio-frequency antennas in a tag’s vicinity to track the movements of the tag and its owner.”
With the right know-how, a tech-savvy stalker could use the exploit to track a user’s location. What’s more troubling is that even if Tile were to stop transmitting the MAC address, it may be too late. The way the company generates its rotating ID makes it possible to predict future codes from past ones.
“An attacker only needs to record one message from the device,” one of the researchers said. Adding that if the attacker is able to record even a single message from the device, it will “fingerprint it for the rest of its lifetime.”
In addition to this issue, the researchers spotted a second issue. According to the report, the unencrypted MAC address and unique ID are sent to Tile’s servers. The researchers believe that this data is stored in cleartext, which would give “Tile the ability to track the location of tags and their owners, even though the company claims it does not have this capability.”
Location tracking companies have implemented solutions to alert users when a tracking device they don’t own is moving with them. However, this exploit could be used to circumvent those safeguards.
The researchers claim that they reached out to Tile’s parent company, Life360, last November to warn them about the issue. However, it appears that the company ceased communications in February. In an email sent to Wired, Life360 claims that it has “made a number of improvements” since receiving the researcher’s report.
Thank you for being part of our community. Read our Comment Policy before posting.
