Cybersecurity researchers find vulnerabilities in popular tracking device
A popular device used to track personal belongings and ostensibly protect consumers from theft could expose significant security flaws elsewhere. According to a team of researchers at the Georgia Institute of Technology, Tile tracking tags could be exploited by not only the company and law enforcement but also stalkers.
No encryption and static MAC addresses
Tile is one of several tracking devices that have grown in popularity over the past few years. According to the company, more than 88 million people across the globe use the Tile and its Life360 app, to keep tabs on everything from their keys and laptops to backpacks and pets. However, those 88 million people could be exposing themselves to nefarious actors.
Basically, tracking devices such as Tile operate on a Bluetooth network that spans the Life360 app on other phones. Each tag is equipped with what’s called a rotating ID and a MAC address. As its name suggests, the rotating ID rotates, making it difficult to pin down the unique marker.
On the other hand –– and unlike most other tracking devices from companies such as Apple, Samsung and Google –– the MAC address in a Tile is unchanging. Likewise, its communications with the necessary Bluetooth network and other Life360-enabled devices are unencrypted, meaning all of that information is ripe for the picking.
“An attacker only needs to record one message from the device … to fingerprint it for the rest of its lifetime,” said researcher Akshaya Kumar.
The inherent safety issues of tracking devices
The problems surrounding Bluetooth-enabled tracking devices are not new. Kumar and her colleagues, Anna Raymaker and Michael Specter, first alerted Life360 to the security flaws in November 2024. The researchers reportedly received an email back, saying that Life360 had made “improvements” to its system, without elaborating.
Neither is the Georgia Institute of Technology team the first to raise the alarm.
“We have been trying to put together a set of standards that every maker of Bluetooth-enabled trackers should implement, which includes a bunch of best practices,” Eva Galperin, the director of cybersecurity at the Electronic Frontier Foundation (EFF), told The Verge. “One of them is frequently rotating your goddamn MAC address and sending information encrypted, instead of in the clear.”
In a statement shared with The Verge, Life360 spokesperson Kristi Collura maintained that the company’s Tile technology is secure and that “Using a Tile to track someone’s location without their knowledge is never okay and is against our terms of service.”
Collura also reiterated that since receiving the Georgia Institute of Technology report, Tile and Life360 “have made a number of improvements and are continually prioritizing work that helps families feel safe and connected.” However, she didn’t provide details on what exactly those improvements entailed.
‘Safeguarding people, not just their keys’
According to EFF, which helped develop and refine the standards for Detecting Unwanted Location Trackers, other companies such as Apple, Google and Samsung have been more receptive to feedback. What’s more, those companies encrypt all of the communications that are shared and stored on their servers, meaning even the companies themselves can’t access the information.
“But Tile,” EFF’s Security and Privacy Activist Thorin Klosowski wrote in a web article on Friday, “has done little to mitigate the concerns we’ve raised around stalkers using their devices to track people.”
“Many of these issues would be mitigated by doing what their competition is already doing: encrypting the broadcasts from its Bluetooth trackers and randomizing MAC addresses,” Klosowski went on to write, adding, “Every company involved in the location tracker industry business has the responsibility to create a safeguard for people, not just for their lost keys.”
The post Cybersecurity researchers find vulnerabilities in popular tracking device appeared first on Straight Arrow News.
Ella Rae Greene, Editor In Chief
