**Tile Security Vulnerabilities: An In-Depth Review of Weaknesses**
Recent studies have revealed major security weaknesses in Tile tracking devices, which could potentially enable both the company and malicious entities to track users’ locations. These vulnerabilities arise from essential differences in the security protocols used by Tile when compared to Apple’s AirTags.
**Grasping the Functionality of Tracking Devices**
Both Tile and AirTags make use of Bluetooth technology to emit their identities to nearby smartphones, altering their ID codes every 15 minutes to avoid permanent linkage with a particular tag. However, the security protocols vary significantly between the two.
AirTags solely send out a rotating ID code that is encrypted, ensuring that only the changing identifier is accessible to surrounding devices. Conversely, Tile tags transmit both the rotating ID and their static MAC address, which is not encrypted. This absence of encryption poses a considerable security threat.
**The Tile Security Vulnerabilities**
As highlighted in a report by Wired, researchers from the Georgia Institute of Technology—Akshaya Kumar, Anna Raymaker, and Michael Specter—found that Tile tags send their MAC addresses along with their IDs. Unlike the ID, which is variable, the MAC address is fixed. This implies that the location data, MAC address, and unique ID are transmitted unencrypted to Tile’s servers, where they are probably stored in cleartext. As a result, Tile can monitor the locations of tags and their owners, despite the company’s assertions to the contrary.
Furthermore, anyone with a radio frequency scanner can capture this unencrypted data during transmission. Even if Tile were to stop broadcasting the MAC address, the technique employed to create the rotating ID is insecure, making it easy to predict future IDs based on earlier ones. This weakness allows an attacker to fingerprint a Tile device from just one captured message, leading to a risk of persistent surveillance for anyone whose tag is scanned.
**Anti-Stalking Features and Their Shortcomings**
Tile provides features similar to AirTags that enable users to identify if they are being tracked by an unauthorized tag. However, a crucial flaw exists in Tile’s approach. When a tag owner activates anti-theft mode to render their tag invisible to potential thieves, it simultaneously blocks detection by users executing anti-stalking scans. This implies that a stalker could hide their tracking device by putting it in anti-theft mode, effectively circumventing safety measures.
**The Risk of Framing**
The weaknesses extend beyond simple tracking; they could be manipulated to falsely accuse innocent users as stalkers. An attacker could gather unencrypted broadcasts from another user’s Tile tag and replay the MAC address and unique ID in a different locale. If an unaware user runs an anti-stalking scan in that location, the maliciously replayed data would seem to come from the legitimate Tile device, wrongfully implicating the user in stalking.
**Feedback from Tile’s Parent Company**
The researchers responsibly communicated their discoveries to Tile’s parent company, Life360, in November of last year. However, dialogue halted in February, and while Life360 recognized making security enhancements, it did not specify whether these improvements addressed the identified weaknesses.
**Conclusion**
The security vulnerabilities in Tile tracking devices underscore significant weaknesses that could be exploited for nefarious purposes, including unauthorized tracking and the potential framing of innocent users. As technology advances, it is crucial for companies to focus on strong security measures to safeguard users from such threats.
Read More