A research team from the Georgia Institute of Technology has discovered several security vulnerabilities in Tile, the Bluetooth tracking device used to locate lost personal items, as recently highlighted in a Malwarebytes security blog post.
Tile is one of the most widely used Bluetooth tracking devices on the market, designed to help users locate misplaced belongings like wallets, keys, or bags. Similar to Apple’s trackable AirTag which operates through Apple’s vast Find My network, Tile works by sending out Bluetooth signals that nearby devices can detect and relay to the user through the app.
The research team published findings this week highlighting several weaknesses in how Tile trackers communicate and store data. The most critical issue lies in the trackers’ broadcast of static, unencrypted MAC addresses and weakly rotating unique IDs, which together make it possible to track a Tile device—and its owner—over extended periods.
The report explains that while rotating IDs are intended to enhance privacy, Tile’s implementation is ineffective because the underlying MAC address remains constant. This allows any nearby Bluetooth device or specialized antenna to monitor the location and movement of a tracker across time. They noted how an attacker only needs to record one message from the device to fingerprint it for the rest of its lifetime.
Researchers also found weakness in data transmission, where location data, device identifiers and MAC addresses are sent to Tile’s servers without encryption, and potentially stored in plaintext (where unencrypted data could be exposed in the event of a breach).
Unlike other tracker manufacturers that use automatic background scanning to alert users of unknown trackers nearby, Tile’s Scan and Secure feature requires manual activation. Users must open the Tile app and walk around for at least 10 minutes for the scan to function properly. While this may be useful for hiding valuables, researchers warn that it could be misused by individuals seeking to track someone without their knowledge. Enabling this mode requires identification, a live photo, and agreement to a $1 million fine if found guilty of stalking
The findings contribute to privacy and surveillance concerns related to Bluetooth tracking devices, including earlier this year with researchers finding the nRootTag vulnerability affecting Apple’s “Find My” network”, demonstrating that even companies with more robust protections are not immune to flaws.
The researchers suggest that many of the issues could be addressed through end-to-end encryption and stronger ID obfuscation, but aimplementing such changes may require significant architectural redesign.
For further details and full coverage of the research findings, see the original report on Malwarebytes’ official blog here.
Leave a Reply