According to a new report from Wired, the popular Bluetooth trackers from Tile have a massive security flaw — one that could let bad actors and stalkers stealthily track unsuspecting users. The issue, according to a team of researchers, relates to the way that the Tile tag broadcasts its MAC address and the unique ID that it uses to register it to the network.
Unlike other companies, which replace the MAC address with a rotating ID, Tile openly broadcasts the MAC address of the device, making it much easier to track. The unique ID of every Tile tag changes every 15 minutes, too, but with the MAC address publicly viewable, it’s easy to transmit the data needed to successfully track the device ever after the ID changes. Further, the researchers behind the discovery say they presented their evidence to Life360 — which purchased Tile back in 2021 – in November 2024. However, in February of this year, the company reportedly ceased communication with the researchers.
This is troubling, of course, as the issue might have continued to compound, exposing users to a security flaw without them even knowing it existed. Considering the stance that companies like Apple have taken to stop their Bluetooth trackers being used for malicious purposes, it’s a bit concerning to see Life360 cutting off communication with the researchers who discovered such a massive flaw without providing any kind of closure about whether the issue was fixed.
Bogged down by features
The researchers further highlight their concerns, noting that Tile’s privacy policy states: “You are the only one with the ability to see your Tile location and your device location.” However, the security flaw in question seems to suggest that is not the case, as the MAC address is publicly broadcasted, allowing any would-be stalkers to track it for the lifetime of the tracker. And while it is technically against the company’s terms of service, fine print don’t often stop bad actors.
Then you look at features like Tile’s anti-theft mode, which makes Tile tags invisible to scans from the Tile mobile app. While the feature is meant to make it harder for thieves to detect trackers, it also makes it impossible for anyone to detect rogue Tile trackers, as the data about the trackers is sent to Tile, but not to the victim, potentially making the feature a handy way for stalkers to hide rogue trackers.
Even this is easy to abuse, though, as the researchers told Wired that someone with the proper technical knowledge could use a modified Tile app to circumvent the anti-theft restrictions and display all MAC addresses and unique IDs recorded when they scan for trackers.
Tile’s issue might have an easy fix
For now, anyone using Tile should be aware of this particular security flaw. The issue should, technically, be easy to fix, the researchers told Wired. All Life360 needs to do is introduce a system that encrypts the data transmissions including the MAC address for its tracking devices. It would also, likely, be worth revisiting the anti-theft mode, as there is a reason other companies have avoided implementing a feature like this: It’s just too easy to exploit.
What makes this situation worse, though, is that Tile is more than just standalone Bluetooth trackers. It’s also found in many other devices as the built-in tracking hardware, including laptops from HP and more. So, you may be carrying around a device susceptible to stalking without even considering the possibility.
While Life360 claims it has made adjustments and changes to address the issues in somewhat vague statements to outlets like Wired and The Verge, the researchers aren’t convinced that enough has been done. Perhaps the company will change its tune down the line.
