News

IT NEWS

Tile trackers plagued by weak security, researchers warn

Researchers at the Georgia Institute of Technology scrutinized the security of the popular Tile tracker and came out disappointed.

Bluetooth trackers are a steadily growing market, and Life360 is one of the major players. In 2021, Amazon expanded its Sidewalk network to include Tile. That means Ring cameras and Echo devices can act as relays, picking up the location of Tile trackers and phones running the Tile app.

Reportedly, some 88 million Tile trackers are in use worldwide, but researchers reported that Tile trackers were not as safe as they hoped. The major problem the researchers found is that the trackers broadcast an unencrypted, static MAC address and unique ID. To allow users to find their wallet or lost items, other Bluetooth devices or radio-frequency antennas in a tracker’s vicinity can pick up these signals to follow the movements of the tracker.

That’s the whole point, you’d think. But let me clarify what’s wrong with this method.

Other trackers don’t broadcast their actual MAC address. Instead, they send out a temporary ID based on it, which makes long-term tracking harder. Tile does things differently: while it rotates the unique ID, it still transmits the same MAC address. Researchers also found the rotating ID generation was weak and could allow continuous tracking.

The receiver then sends the tracker’s location, MAC address, and unique ID to a server without encryption. The researchers believed the server stored this information in cleartext, which would mean Life360 could continuously monitor the location of trackers and their owners who have the app installed.

As one of the researchers put it while warning about the dangers:

“An attacker only needs to record one message from the device … to fingerprint it for the rest of its lifetime.”

This could pose a major problem in case of a breach or if your tracker was caught in a mass scan. In other tracker systems, the information about the location of a tag is decrypted by using a key only available on the user’s phone, so only the owner can see this information.

Another issue is Tile’s anti-stalking feature. After concerns were raised about the ability to stalk persons with these trackers, most manufacturers added automatic alerts that warn the user if a tracker that is not theirs is following them around.

With Tile, the app doesn’t scan in the background—the user has to start the scan manually. Even then, it only works if the user keeps moving around for 10 minutes.

This behavior could be due to a feature that Tile offers and others don’t: anti-theft mode. Tile users have the ability to make their trackers invisible to others, so would-be thieves can’t scan an area to see if there are any items with a Tile in the vicinity.

But stalkers could abuse the same feature. They would still see the tag’s location, while the victim’s scan would not detect it, leaving them unaware of a rogue device.

To enable Anti-Theft Mode, Tile requires a government-issued ID, a live photo of the user, and agreement to a $1 million fine if convicted of stalking. While this could deter some abusers, researchers note it isn’t clear whether the penalty is enforceable.

The researchers concluded that many of the problems they found with Tile trackers could be solved by encrypting the signals it broadcasts, and they didn’t understand why the company apparently hadn’t followed the example of its competitors.

That sounds easier than it might be though. In February 2025, researchers found a way to track any Bluetooth device using nRootTag vulnerability in the “Find My” network. Apple has a partial fix out, but full protection may take years. This shows that a redesign from (almost) scratch could be a lengthy and costly process.

In a statement to The Verge, a spokesperson for Life360 said the company had “made a number of improvements” since researchers reported the issue last November, although didn’t provide any details about the fixes. From the statement:

Using a Tile to track someone’s location without their knowledge is never okay and is against our terms of service.

To help you find the main differences between Tile and other trackers, we constructed this overview.

Features Tile Others
Static MAC address Uses static MAC addresses, enabling persistent tracking by anyone nearby. Uses rotating MAC addresses that change frequently to prevent tracking.
Data transmission Broadcasts unique IDs and device data unencrypted via Bluetooth, which is easily intercepted. Uses encrypted communication with nearby devices, protecting data in transit.
Data storage Stores location and device data unencrypted on own servers, making it vulnerable to breaches. Stores encrypted data on servers, reducing risk from breaches.
Detection of unwanted trackers Requires users to manually scan with Tile app’s Scan and Secure feature, which is less intuitive. Automatically alerts users of unknown trackers traveling with them and provides disabling them.
Anti-theft feature Offers “anti-theft mode,” which hides trackers from detection scans, but which makes automatic stalking alerts ineffective. No equivalent feature.

We don’t just report on privacy—we offer you the option to use it.

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.