Researchers have uncovered serious vulnerabilities in Tile tracking devices that could allow both the company itself and malicious stalkers to monitor user locations. The findings reveal fundamental flaws in how Tile manages security compared to Apple’s AirTags, raising significant privacy concerns for millions of users worldwide.
Like AirTags, Tile tags use Bluetooth to broadcast identity codes to nearby smartphones. These codes rotate every 15 minutes to prevent permanent tracking. However, researchers at the Georgia Institute of Technology discovered that Tile tags not only transmit the rotating ID but also their static MAC address, and crucially, neither of these identifiers are encrypted. This creates an opportunity for persistent and unauthorised surveillance.
Unlike AirTags, which broadcast only encrypted rotating codes, Tile’s approach means that anyone with a basic radio frequency scanner could intercept unencrypted transmissions. The data can include the MAC address and unique ID, allowing a stalker to build a long-term profile of a tag’s movements. The researchers further revealed that Tile’s servers receive this information in unencrypted form, meaning the company itself has the ability to track tags despite claiming otherwise.
The security flaws go even deeper. The rotating IDs used by Tile are generated in a way that makes them predictable. With as little as one captured ID, attackers can reliably forecast future codes for the lifetime of the tag. This enables systemic surveillance with minimal effort. Researcher Akshaya Kumar explained that recording a single message from a device is enough to fingerprint it indefinitely, significantly increasing the risks of privacy abuse.
The vulnerabilities also create loopholes in Tile’s anti-stalking features. While Tile provides a system for users to detect whether an unknown tag is following them, this protection fails if a tag owner activates anti-theft mode. In this mode, the tag becomes invisible to scanning, meaning a stalker could hide their tag within someone’s belongings or vehicle without fear of detection.
Even more disturbingly, attackers could frame innocent Tile owners as stalkers. By collecting unencrypted broadcasts from a legitimate Tile and replaying them in a different location, a malicious actor can make it appear as if the victim’s tag is present. The Tile system has no way to distinguish between legitimate broadcasts and replayed data, creating a situation where innocent users could be wrongly implicated in stalking incidents.
The researchers disclosed their findings to Tile’s parent company, Life360, in November last year, but communication ended abruptly in February. While the company has since stated that it has made improvements to its security systems, it has not clarified whether the flaws identified by the researchers have been fully addressed. For now, users of Tile devices face ongoing risks that remain unresolved.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
