A newly published study warns that popular Bluetooth trackers made by Tile may be vulnerable to misuse because they broadcast identifying data—like MAC addresses and unique IDs—in unencrypted form, allowing nearby devices or antennas to intercept them and track movements over time. Unlike competitors such as Apple and Samsung that rotate IDs and encrypt signals, Tile’s design reportedly leaves static identifiers exposed, enabling “fingerprinting” of a tracker. The team of researchers at Georgia Tech also found that Tile’s so-called anti-theft or anti-stalking protections can be disabled or bypassed—one mode makes the tracker invisible even to users scanning for unwanted tags. Worse, the system may be exploited to frame innocent users via “replay attacks” that mimic someone else’s tag in a different location. Tile’s parent company, Life360, claimed to have made “improvements” since being alerted, but has not detailed whether or how the core vulnerabilities are fixed.
Key Takeaways
– Because Tile tags broadcast both a stable MAC address and an evolving identifier without encryption, attackers can link those signals over time and track a device persistently.
– Tile’s “anti-theft mode” may actually hinder detection of malicious tags by disabling Scan & Secure, and the system is vulnerable to replay attacks that could falsely implicate innocent owners.
– Even though Tile claims to have made improvements after being notified, the company has not clearly confirmed whether the structural security issues have been addressed.
In-Depth
Bluetooth trackers like Tile are meant to help you keep tabs on everyday items—keys, wallets, luggage—by piggybacking on a network of nearby phones that relay signal data back to a central server. In theory, this kind of “crowdsourced” Bluetooth location network is quite clever and useful. But the recent findings from Georgia Tech show that Tile’s particular implementation has alarming privacy gaps that could turn your own tracker into a tracking tool against you.
The core issue lies in what the tag broadcasts and how. Tile tags emit two identifiers over Bluetooth: a unique ID that is supposed to rotate periodically, and a device’s MAC address—which does not rotate and stays constant. Neither of those are encrypted in transit. That means anyone with even modest technical tools—a Bluetooth‐capable device or a simple radio receiver—could pick up those broadcasts and tie them to a specific tracker. Because the MAC address never changes, an attacker only needs to capture one broadcast to consistently identify the same tag later, regardless of how often the rotating ID changes. Over time, that yields a way to map out where the tracker—and potentially its owner—goes.
Worse still, once that data is picked up by other devices (phones participating in the Tile network, for example), it’s transmitted to Tile’s servers supposedly in the “clear”—that is, not encrypted en route. The researchers suggest that means Tile itself could, in principle, track its users’ devices—despite the company’s claims to the contrary.
The team also drilled into Tile’s anti-stalking protections. Tile offers a “Scan & Secure” feature that’s meant to let users scan for unwanted tags traveling with them; if it spots a tracker, it should warn you. But the catch is that one of Tile’s modes—Anti-Theft Mode—makes tags invisible to that scan. In effect, an attacker could enable Anti-Theft mode on a malicious tag to avoid detection. As one researcher put it, “the stalker has to be caught—and [Tile] have just provided the technology to make sure that wouldn’t happen.”
An even more chilling possibility: replay attacks. Because Tile lacks cryptographic safeguards to distinguish original vs. replayed signals, a malicious actor could record a person’s tile broadcasts and then replay them near a different person, making it appear as though the first person’s tag is present. That could lead to wrongful accusations of stalking or harassment, and there’s no reliable way in the system currently to tell the difference between a genuine broadcast and a replayed one.
Tile’s parent, Life360, says it has made “a number of improvements” since researchers disclosed the flaws last November—but so far, the company hasn’t clarified whether it has eliminated the root vulnerabilities. That ambiguity is disquieting given the severity of the risks: exposure of movement patterns, potential framing of innocent users, and the possibility of internal access by the platform owner.
For users of Tile—and of Bluetooth trackers in general—this serves as a reminder that design trade-offs in IoT devices carry real risks. Signal encryption, frequent identifier rotation, anomaly detection, and anti-replay safeguards are not optional extras in privacy-sensitive contexts—they’re essential. Until Tile can credibly demonstrate structural fixes, anyone using its tags must weigh whether the utility of tracking beloved items outweighs the latent threat of being tracked themselves.