Tile Tracking Tags Can Be Exploited by Tech-Savvy Stalkers, Researchers Say

A team of researchers found that, by not encrypting the data broadcast by Tile tags, users could be vulnerable to having their location information exposed to malicious actors.Courtesy of Life360Tile trackers, used to locate everything from lost keys to stolen pets, are used by more than 88 million people worldwide, according to Tile’s parent company, Life360. But researchers who examined the tracking technology have found design flaws that would let stalkers—or potentially the manufacturer itself—track the location of Tile users and their devices, contrary to claims the company has made about the security and privacy of its devices.The researchers—Akshaya Kumar, Anna Raymaker, and Michael Specter of Georgia Institute of Technology—found that each tag broadcasts an unencrypted MAC address and unique ID that can be picked up by other Bluetooth devices or radio-frequency antennas in a tag’s vicinity to track the movements of the tag and its owner. The location of a tag, its MAC address, and unique ID also get sent unencrypted to Tile’s servers, where the researchers believe this information is stored in cleartext, giving Tile the ability to track the location of tags and their owners, even though the company claims it does not have this capability.The researchers say this would give Tile the ability to conduct “mass surveillance” on its users and potentially provide that information to law enforcement and others.The researchers also found that Tile’s anti-stalking protection can be easily undermined if a stalker enables an anti-theft feature that Tile offers with its tags. Additionally, someone could falsely frame a Tile owner for stalking by recording the unencrypted broadcasts their Tile device makes and replaying these broadcasts in the vicinity of another Tile user, making it seem like the former is stalking the latter.The researchers reported their findings to Tile’s parent company, Life360, last November, but they say the company stopped communicating with them in February. WIRED sent Life360 an email asking for a response to the issues raised by the researchers, but a spokesperson sent a reply that did not explicitly address the problems. The email said only that the company had “made a number of improvements” since receiving the researchers’ report, without specifying what those were.Tile sells stand-alone tags, but its tracking technology is also embedded in laptops, headphones, smartwatches, and other products made by companies like Dell, Bose, and Fitbit. The researchers reverse engineered Tile’s protocol and Android mobile app used with the Tile Mate, the company’s most popular tracker tag. They say their findings may not apply to other models of Tile tags or the Tile technology used in products made by third parties.How Tile Tags WorkTile trackers operate similarly to tracking tags made by Apple, Google, and Samsung. But Tile’s system differs in important ways. Like the others, Tile tags are battery-powered and use Bluetooth to broadcast their location to a user’s phone. Users can slip a tag into a briefcase, luggage, or vehicle, or attach it to keys, a phone, laptop, or even a pet collar to track the location of these items.Each Tile tag broadcasts the tag’s MAC address and a unique ID, which changes periodically. If an item paired with the tag goes missing the owner, using their Tile app, can instruct the tag to emit a sound to locate it. For items farther away, the system relies on the network of phones belonging to other Tile users. These also pick up the broadcast of any Tile device near them. And since 2021, Ring cameras, Echo devices, and Tile tags have been integrated into Amazon’s Sidewalk network, meaning Ring and Echo devices can pick up the location of Tile tags as well.Each time these devices pick up the broadcast from a Tile tag, the location, MAC address, and unique ID of that tag get sent to a Tile server where it’s stored in a database, the researchers found. The owner of a lost tag and item can then use their Tile app to query the database for their latest location. The problem, according to the researchers, lies in how Tile has implemented this system.Tile claims that user information transmitted across its network can’t be seen by anyone. “You are the only one with the ability to see your Tile location and your device location,” the company states in its privacy policy. But the researchers found that the MAC address and unique ID that a Tile tag broadcasts is not encrypted, allowing someone in the vicinity of a tag with a Tile app on their phone or a radio frequency antenna to intercept this information as its transmitted and track the location of the tag and associated item or its owner.Other tag makers replace the MAC address with a rotating unique ID and only transmit the ID. By changing the ID periodically, someone recording broadcasts from a tag cannot easily link multiple broadcasts to the same tag to track the movement of that tag and associated item or owner.But because Tile’s system transmits both the MAC address and the unique ID, and does not encrypt this transmission, someone can intercept this information. Tile’s unique ID also rotates—it changes every 15 minutes if the tag is near the owner’s phone or once in 24 hours if not—but because the MAC address is static and does not change, it can be used to track a tag regardless of the changing ID. Even if Tile chose to not transmit the MAC address, the researchers say, the way Tile generates the changing ID is not secure and can still be used to track a tag.“An attacker only needs to record one message from the device … to fingerprint it for the rest of its lifetime,” says Kumar, who says this creates a risk of systemic surveillance for anyone whose tag is caught up in a scan.Law enforcement could potentially use this to identify anyone in an area that has a Tile tag or Tile-enabled device. And because this location information seems likely to be stored unencrypted on Tile’s server, researchers say, Tile could also track the location of tags or share this information with any third party.“These issues transform Tile’s infrastructure into a global tracking network,” the researchers claim in a paper they wrote about their findings.When an Apple, Google, or Samsung tag gets detected in a scan, the report that gets sent to the company servers containing the tag’s ID and location information is end-to-end encrypted so that no one can intercept the broadcasts as they’re transmitted, and the companies themselves cannot see the location information to track the movement of the tags. Only a tag owner can see this information because a key on their phone decrypts the location data on the company’s server that is associated with their tag ID.“They have designed their system intentionally such that they aren’t able to recover your location or the location of where your items are,” says Specter. “Because they don’t want to be in the business of knowing where all people are at all times.”Talking Anti-StalkingIn a study published last year, researchers measuring the misuse of Bluetooth location trackers—including devices from Apple, Tile, Samsung, and Chipolo—found that more than 40 percent of stalking victims had been tracked with Bluetooth tags hidden in their cars, purses, or backpacks.To address this, makers of location-tracking technology have implemented solutions to alert users when a tracking device they don’t own appears to be moving with them. But the researchers say that Tile’s implementation is flawed in ways that both undermine its effectiveness and make it susceptible to being used to track the movement of other users.Unlike other trackers—which conduct a continuous scan for trackers in a user’s vicinity that they don’t own and automatically alert the user to the presence of these trackers—Tile’s so-called Scan and Secure system has to be manually initiated by a user through the Tile app. The scan lasts only 10 minutes, and the user has to be moving around an area while the scan is in progress to detect tags that are moving with them. Users have to also remember to re-initiate scans periodically to detect any rogue devices that might be traveling with them since their last scan.Tile’s app performs six Bluetooth scans during the 10 minutes and extracts the MAC address and unique ID from each broadcast it detects. The app then checks these addresses against a database to determine if they are paired with the phone of the person doing the scan. Any address or ID that is not paired with their phone is designated “unknown.” The app produces a report of these tags for the person to view. It also sends a message to the Tile server with all the MAC addresses and unique IDs detected during the six scans, and the number of times they appeared.But the researchers found that the Scan and Secure feature is undermined by another feature Tile offers for preventing theft. The researchers say this anti-theft mode is unique to Tile, and the problems it presents for Tile users may be the reason.The aim of anti-theft is to prevent would-be thieves from running a scan using a Tile mobile application to see if there is a Tile tag paired with an item they plan to steal. But when a tag owner enables anti-theft to make their tag invisible to would-be thieves, those tags also won’t be visible to someone running a scan to determine if they are being stalked with a rogue tag. This means a stalker could hide their stalking tag by putting it in anti-theft mode. A scan will still detect the tag and send its MAC address, unique ID, and location to Tile’s servers, but the tag won’t be included in the scan results that are displayed to the user who initiated the scan, effectively making potential stalking victims blind to rogue devices that may be following them.Kumar says other makers of location trackers avoid this by not even offering anti-theft mode for their products.“They never say, ‘Here’s a tag that can prevent your devices from being stolen.’ They say it helps recover lost devices. Anti-theft is just not a feature,” she says. “That’s a compromise that these companies are willing to make in order to have stronger anti-stalking properties.”The researchers also say that the anti-theft mode isn’t foolproof because a user with a modified Tile app can easily circumvent it to collect and display all MAC addresses and unique IDs recorded during a scan, regardless of whether any of those tags are using anti-theft mode.Tile believes it solves the anti-theft abuse problem by requiring that anyone who enables anti-theft mode for their tag provide a government-issued ID and live photo of their face to Tile before anti-theft mode will be enabled. Users of this mode also have to consent to a $1 million fine if they are convicted of using Tile for stalking—though the researchers point out that it’s unclear if this is enforceable.Tile states in its terms that the identity information users provide will be shared with law enforcement if Tile believes someone has abused the feature for stalking. But the company is inconsistent about whether law enforcement needs a warrant to get this information. In a FAQ the company says it will “work with law enforcement through a properly issued court order to identify the owner of a suspicious Tile.” But in the terms for its anti-theft mode, users agree that their “personal information can and will be shared with law enforcement at our discretion, even without a subpoena” to aid investigations of suspected stalkers.Lastly, the researchers say someone can abuse the Scan and Secure feature to frame someone else for stalking by executing a replay attack to impersonate their Tile tag. Using a radio-frequency antenna to collect the unencrypted broadcasts from another user’s tag, an attacker can extract the MAC address and unique ID from these broadcasts, and transmit that in another location. If a user conducts an anti-stalking scan in that location, they would see this MAC address and unique ID in the scan, and this information and the location of where it was scanned would be sent to Tile’s server, making it appear as if that tag was near the person who did the scan. There is no way to determine, the researchers say, if a MAC address and unique ID was emitted by a legitimate Tile device or someone maliciously replaying that information.The researchers say many of the problems they found could be addressed simply by Tile encrypting the broadcasts from its tags, and they don’t understand why the company apparently hasn’t followed the example of its competitors.
Source: wired.com