Tile security flaws can let both the company and stalkers track your location

Researchers have discovered major Tile security flaws that could let both the company itself and a tech-savvy stalker track your location. These arise from two crucial differences between the security used for AirTags and Tile tags. The flaw could even be exploited to allow a malicious actor to falsely frame a Tile owner for stalking, by making it appear as if one of your Tile tags is constantly in the vicinity of somebody else’s tag … Both AirTags and Tile tags work in essentially the same way, using Bluetooth to broadcast their identity to nearby smartphones. Both also rotate the ID code used every 15 minutes so that it cannot be permanently tied to a specific tag. In the case of AirTags, only the rotating ID code is ever broadcast by the tag, and all transmissions are encrypted. However, security researchers found that Tile tags transmit not only the rotating ID but also their static MAC address – and that neither is encrypted. This represents a huge security vulnerability. The Tile security flaws Wired reports that Akshaya Kumar, Anna Raymaker, and Michael Specter of Georgia Institute of Technology found that the MAC address was broadcast alongside the ID. Unlike the ID, Tile MAC addresses never change. The location of a tag, its MAC address, and unique ID also get sent unencrypted to Tile’s servers, where the researchers believe this information is stored in cleartext, giving Tile the ability to track the location of tags and their owners, even though the company claims it does not have this capability. Additionally, anyone with a radio frequency scanner can intercept all of this information as it is transmitted. Worse, the problem would not be solved if Tile stopped transmitting the MAC address. That’s because the way the company generates the rotating ID is not secure and future codes can be reliably predicted from past ones – even from a single ID. “An attacker only needs to record one message from the device … to fingerprint it for the rest of its lifetime,” says Kumar, who says this creates a risk of systemic surveillance for anyone whose tag is caught up in a scan. Tile has similar protection to AirTags in terms of allowing you to see whether you are being stalked by someone else’s tag hidden in your possessions or in your vehicle. However, there is a major vulnerability in Tile’s implementation. When a tag owner enables anti-theft to make their tag invisible to would-be thieves, those tags also won’t be visible to someone running a scan to determine if they are being stalked with a rogue tag. This means a stalker could hide their stalking tag by putting it in anti-theft mode. Finally, a bad actor could even frame you as a stalker. Using a radio-frequency antenna to collect the unencrypted broadcasts from another user’s tag, an attacker can extract the MAC address and unique ID from these broadcasts, and transmit that in another location. If a user conducts an anti-stalking scan in that location, they would see this MAC address and unique ID in the scan, and this information and the location of where it was scanned would be sent to Tile’s server, making it appear as if that tag was near the person who did the scan. There is no way to determine, the researchers say, if a MAC address and unique ID was emitted by a legitimate Tile device or someone maliciously replaying that information. The security researchers followed best practice by reporting their findings to Tile parent company Life360 back in November of last year. However, the company ceased communications in February this year. The company told Wired that it had made a number of improvements to its security but did not specify whether these addressed the problems identified. Highlighted accessories Image: Life360 photo on background by Ajeng Coleendyah on Unsplash