SecurityTech

Tile trackers lack encryption leaving users at risk of stalking

Georgia Tech researchers reveal that Tile tags can be fingerprinted via static MAC addresses, putting owners’ privacy at serious risk.

By
Shubham Sawarkar
Shubham Sawarkar's avatar
ByShubham Sawarkar
Editor-in-Chief
I’m a tech enthusiast who loves exploring gadgets, trends, and innovations. With certifications in CISCO Routing & Switching and Windows Server Administration, I bring a sharp...
Follow:
- Editor-in-Chief
We may get a commission from retail offers. Learn more
Life360 Tile Mate Bluetooth tracker.
Image: Life360

If you carry a Tile on your keys or slip a sticker into a backpack, you’re trusting a tiny radio with a surprisingly big job: quietly whispering your location to nearby phones so you can find the thing you lost. But a new round of security research suggests those whispers aren’t as private or as anonymous as most people assume — and in the wrong hands, they could be used to follow someone, not just find a lost wallet.

How these trackers are supposed to work — and where things go wrong

Bluetooth item trackers like Tile, Apple’s AirTag, and Samsung’s SmartTag solve the same problem: small, cheap radios don’t have long-range internet connections, so they rely on a crowd-sourced network of phones. A tag broadcasts an identifier; a nearby phone hears it and anonymously tells the company’s servers, “I heard this tag at this place and time,” which then lets the owner see the tag’s last-known location.

To stop abuse, vendors have layered in protections: rotate identifiers and MAC addresses so a tracker can’t be passively fingerprinted forever; encrypt or otherwise hide identifying details so random listeners can’t reconstruct location histories; and build detection tools so someone can scan for unknown trackers nearby. But according to Georgia Tech researchers, Tile’s implementation doesn’t do all that — and that gap is the weak link.

The technical hole

Researchers who reverse-engineered the Tile software say Tile rotates the tag’s public ID but does not rotate the device’s Bluetooth MAC address, and the tags broadcast certain information unencrypted. That means an attacker who records a single broadcast from a Tile can match the MAC address to that tag going forward and follow it — either by placing cheap Bluetooth sniffers or even by using another phone or an antenna to listen for that unchanging MAC. In short, one captured message is often enough to “fingerprint” a tracker for its lifetime.

That’s not academic hair-splitting. Changing the MAC address regularly is a straightforward mitigation many companies use specifically to prevent this kind of passive tracking; leaving it static makes the tag — and thus the person carrying whatever it’s attached to — much easier to stalk.

Anti-theft mode that helps thieves (and stalkers)

Tile also offers an “anti-theft” mode that hides a tag from Tile network scans so thieves can’t quickly check whether an item is protected. Sounds sensible — except that this exact feature can be abused by people trying to avoid being found by the very scan tools meant to detect unwanted trackers. In anti-theft mode, a tag won’t show up in a Scan and Secure search even while it continues to broadcast the same unencrypted identifiers that let passive listeners track it. In practical terms, a malicious tracker can be made invisible to the person being stalked while still leaking identifying info to someone who’s listening.

Tile does gate anti-theft mode behind identity checks (photo ID, selfie) and even a fine policy — but critics point out that those procedural steps only matter if the stalker is ever caught. As EFF’s Eva Galperin told reporters, concerns about these design choices are longstanding; she and others argue that technical protections (rotate the MAC, encrypt broadcasts) are the real fix, because policies and punishments don’t stop an attacker from slipping a tracker into a bag today.

Tile’s response — “we made improvements

Tile’s parent company, Life360, told reporters it’s “made a number of improvements” since the researchers flagged the issue and stressed that using a Tile to track someone without consent violates its terms of service. The company also pointed to its HackerOne program as a place for researchers to responsibly disclose issues. But the public statements so far are light on technical detail — researchers and privacy advocates say they want clearer, verifiable fixes (for example: confirmation that MAC randomization and broadcast encryption were implemented and independently tested).

Why this matters beyond Tile

This isn’t only a Tile problem — it’s a reminder that convenience often outpaces security in consumer devices. The Electronic Frontier Foundation helped push Apple and Google to adopt a shared Detecting Unwanted Location Trackers standard to make it easier for phones to find unknown tags, and the EFF continues to advocate for best practices like MAC rotation and encrypted payloads. Those standards reduce the attack surface for stalkers and help users detect when a device that shouldn’t be near them is, in fact, following them. But companies still need to build those protections into product firmware and servers — and to be transparent when they do.

What researchers recommend — and what you can do today

Researchers and advocates have fairly simple technical asks: rotate MAC addresses frequently, encrypt identifying data sent over the air, and design anti-theft or privacy features so they can’t be trivially abused to hide malicious tracking.

For people who own trackers right now:

  • Turn on the phone-based “scan for nearby unknown trackers” features on your device — both Android and iOS have tools (though coverage and ease of use vary).
  • Check your items periodically; if something unfamiliar is found near you, follow vendor guidance to report it to law enforcement.
  • Consider whether you really need a persistent tracker on items you carry all the time (purse, keys). If someone wanted to follow you, those are the very things they’d put a tag into.
  • Keep device firmware and apps updated — if Tile (or others) push real fixes, updates are how you get them.

None of these are perfect; the core fixes require changes to how trackers are built. But being aware and using the tools you do have reduces short-term risk.

The bigger picture: product design, regulation, and trust

The Tile episode is illustrative of a pattern we see across many connected devices: privacy and safety are often afterthoughts. Users buy convenience and assume reasonable protections are in place; sometimes they are, sometimes they aren’t — and sometimes a feature meant to help (anti-theft) becomes a vector for abuse.

That gap is why advocacy groups, academics, and — increasingly — regulators are pushing for baseline security and privacy requirements for physical trackers and other IoT gadgets. The work between Apple and Google on tracker detection is a step in the right direction, but standards without audited implementation are still only half a solution.

Final word

A little tracking tag stuck to a wallet is an easy thing to underestimate. It’s small, inexpensive, and seems harmless. But as this research makes clear, design choices at the chip-and-protocol level can have outsized effects on real-world safety. If you own a Tile or any similar device, treat it like any other piece of tech that handles sensitive location data: check your settings, keep software current, and push companies for transparency about the concrete steps they’ve taken to stop unwanted tracking. Until manufacturers bake in hard protections — rotating MACs, encrypting broadcasts, and making detection reliable — those tiny radios will remain, in some circumstances, useful tools for people who mean to do harm.

Discover more from GadgetBond

Subscribe to get the latest posts sent to your email.

Topic:
Most Popular
Also Read