Concerns Emerge Over Privacy Risks Linked to Tile Trackers
Tile trackers, employed by over 88 million users globally to locate items such as keys and pets, are facing scrutiny following revelations by researchers from the Georgia Institute of Technology. According to a study, design vulnerabilities within Tile’s tracking technology may allow unauthorized tracking of users’ locations, raising serious security concerns that contradict claims made by its parent company, Life360.
The researchers—Akshaya Kumar, Anna Raymaker, and Michael Specter—discovered that each Tile tag transmits an unencrypted MAC address and unique identifier. These details can be intercepted by nearby Bluetooth devices or radio-frequency antennas, thus enabling tracking of the devices and their owners. Furthermore, this unencrypted information is sent to Tile’s servers, where it may be stored in clear text. This capability potentially grants Tile access to the location data of users, despite the company’s assurances to the contrary.
Such vulnerabilities could facilitate what the researchers describe as “mass surveillance” of Tile users. They raised concerns that the company could share this information with law enforcement and other agencies, thereby creating significant privacy threats. Additionally, Tile’s anti-stalking features may be easily circumvented if a perpetrator activates its anti-theft functionality, posing further risks to users’ safety.
In an alarming hypothetical scenario, a person could feasibly frame a Tile owner for stalking by capturing and replaying the unencrypted signals emitted by a Tile device near another user. This manipulation could mislead authorities and damage the unwitting Tile owner’s reputation.
The researchers reported their findings to Life360 in November, but subsequent communication ceased by February, diminishing hopes for rapid changes or clarifications. Although WIRED attempted to elicit a response from Life360 regarding the raised security concerns, the company’s reply failed to address them directly. Instead, the spokesperson only noted unspecified improvements made since the researchers’ report.
Tile devices are not limited to standalone tags but are also integrated into products from manufacturers such as Dell, Bose, and Fitbit. The research specifically focused on Tile’s protocol and the Android app associated with its most popular product, the Tile Mate. They noted that the vulnerabilities identified may not extend to other models or third-party technologies.
Tile trackers operate on a similar principle to competing products from tech giants like Apple and Samsung, utilizing battery-powered Bluetooth technology to communicate their location. Users can attach these tags to items like luggage or pets, enabling tracking via a linked mobile application. When a paired item is lost, users can prompt the tag to emit a sound, while the system can leverage a network of Tile users’ phones for broader tracking assistance. Since 2021, this network has been expanded through integration with Amazon’s Sidewalk, allowing devices such as Ring cameras and Echo speakers to assist in locating Tile tags.
In light of these findings, businesses utilizing Tile technology must reassess their data security strategies, especially regarding user privacy and potential vulnerabilities inherent in the use of tracking devices. As this situation unfolds, the implications for users’ data security remain a pertinent issue amidst evolving cybersecurity landscapes.
