A major security vulnerability has been uncovered in Tile trackers, prompting worries about possible stalking dangers for users. Experts at Georgia Tech have revealed that Tile trackers transmit unencrypted IDs along with a static Bluetooth MAC address, rendering them easily identifiable and traceable. In contrast to rivals like Apple’s AirTag and Samsung’s SmartTag, which utilize rotating identifiers and encrypted communications, Tile’s security measures are inconsistent and incomplete. Tile’s Anti-Theft Mode, intended to conceal trackers from scans, unintentionally eliminates safety precautions, enabling abusers to plant devices without detection.
The primary concern is that Tile tags transmit a unique ID and a static Bluetooth MAC address without encryption. While Apple and Samsung employ rotating identifiers and enhanced privacy measures, Tile only partially rotates identifiers in specific circumstances. The static MAC address serves as a beacon, easily detectable with basic scanning equipment. This absence of encryption means that individuals with only basic technical knowledge could utilize readily available antennas or Bluetooth sniffers to track someone’s movements in real time. Researchers have also cautioned that Tile’s framework could potentially be exploited to create long-term profiles of user behavior, raising alarms about the company’s oversight of location information.
Tile’s Anti-Theft Mode further complicates the situation. It necessitates users to submit government ID and selfies, along with agreeing to a clause permitting Tile to disclose information to law enforcement without a subpoena if misuse is suspected. Although the company has linked a $1 million penalty to confirmed instances of abuse, critics claim that the feature undermines essential protections. When Anti-Theft Mode is activated, Tile tags become invisible in the Scan & Secure feature, facilitating malicious actors in planting trackers undetected. Researchers have shown that attackers could capture a Tile signal and replay it elsewhere, potentially implicating individuals by faking their location.
Tile asserts that it prioritizes security, citing ongoing bug bounty programs and partnerships with ethical hackers. However, until substantial improvements are made, the onus is on users. Experts advise keeping firmware and app versions updated, avoiding Anti-Theft Mode unless absolutely necessary, and exploring alternatives like Apple or Google’s trackers, which provide superior privacy safeguards.
