Tile Bluetooth trackers leak identifying data in plain text, giving stalkers an easy way to track victims despite Life360's security promises, a group of Georgia Tech researchers warns.

A trio of researchers led by assistant professor Michael Specter found [PDF] a number of flaws in Tile trackers, they say disprove many of Tile maker Life360's security and privacy guarantees. Most shocking, say the researchers, is the fact that Tile servers continually collect tag locations, MAC addresses, and unique ID codes without end-to-end encryption, while the tags themselves broadcast unencrypted Bluetooth signals that can be sniffed to track someone else's device.

What's worse, the MAC address of Tile trackers is static - and the periodically-cycled unique IDs are only semi-randomized and are reused over time. "This reuse pattern … allows an adversary to link private IDs over time and track the device," the researchers explained. 

The discovery by Specter and PhD students Akshaya Kumar and Anna Raymaker raises the specter of Bluetooth tag stalking, a known problem that has plagued companies like Life360 for years. The Tile maker was sued in 2023 by a pair of stalking victims who argued the company's partnership with Amazon, which opened Tile's tech up to the company's Sidewalk network, magnified the danger posed to stalking victims. Both Android and Apple devices have since had anti-stalking technology added to their more modern OS versions, but Tile trackers appear to still have significant problems, per the Georgia Tech team. 

According to their research, conducted by decompiling the Tile app on Android, studying its code and analyzing the Bluetooth and network traffic between a Tile Mate device manufactured in 2022 and a rooted Google Pixel 3XL smartphone, Tile's anti-stalking features are just as useless as relying on a tracker that constantly broadcasts a fixed MAC address in plain text over Bluetooth.

Because Tile tags are broadcasting unencrypted data, an attack could target device Bluetooth advertisements to identify specific tags and "construct detailed movement profiles of individuals without their knowledge or consent." 

One specific anti-stalking feature, Scan and Secure mode, makes Tile trackers visible to anyone who scans for them, a feature designed to detect rogue tags being used to stalk someone. But an anti-theft feature that the company advertises for putting hidden trackers on one's own devices can simply be enabled to hide the trackers from Scan and Secure. 

Tile's anti-theft feature can be subverted, however, since using anti-theft mode simply tells Tile's servers not to display results from those specific trackers, but "a user with a modified app can … [display] all privateIDs recorded" during a Scan and Secure search. Good news for a tech-savvy person worried about being stalked, but there's still a problem here, the researchers pointed out: Tile requires someone to actively scan for malicious trackers and doesn't passively keep a lookout for malicious, hidden trackers.

"All service providers except Tile have implemented anti-stalking algorithms that guarantee tag detectability at the operating system level, ensuring that these scans always run in the background and alert the user automatically," the researchers said. "Tile's reliance on manual, user-initiated scans creates dangerous detection gaps."

The researchers pointed out that this is a shortcoming of the fact that Tile is a third-party product - it doesn't have OS-level access to the devices it's installed on - just app-level access, meaning it can't perform background scans unless it were to use Google or Apple's own protocols. 

The team told us that, while it only examined the Tile Mate tracker, they have no reason to assume the rest of the company's products - or the third-party devices that implement its protocols - are any safer than the one they tested.

"It’d be surprising if [other Tile devices] worked differently," Specter told The Register in an email. "We found no evidence in the app to indicate that they were different."

Life360 … finds a way to avoid dealing with the problem

The Georgia Tech research team first reported their findings to Life360 in November of last year by reaching out to the company's CEO, Chris Hulls, and its support team because there was no official vulnerability disclosure channel available. Life360 did respond to the team, but communications apparently ceased after a time. 

"Tile acknowledged the vulnerabilities and engaged in dialogue until February 4, 2025, after which communications ceased," the research team wrote. The company was given an opportunity to reopen channels, the team said, but it doesn't appear to have ever done so. 

• Crooks crack customer info at tracking device vendor Tile, issue 'extortion' demands
• Google, Apple gear to raise tracking tag stalker alarm
• Organized crime and domestic violence perps are big buyers of tracking devices
• Three dozen plaintiffs join Apple AirTag tracking lawsuit in amended complaint

The researchers said they also offered to provide mitigations for the vulnerabilities they identified - like randomizing MAC addresses, end-to-end encrypting data, and finding a way to actually randomize unique device IDs - but it's not clear whether that information was shared with Life360 before communication dried up. 

According to a Life360 spokesperson, the company has made improvements since hearing from the researchers, but despite requests for specifics, it didn't provide any.

"Since receiving the submission, we have made a number of improvements," Life360 told The Register. It also disputed some of the team's claims, telling us that it does encrypt data in transit, and on its servers at rest. The company said it's also in the process of transitioning to rotating MAC addresses.

While the research team didn't answer questions about the status of its communication with Life360 or whether the company may have implemented any of its suggested changes, its findings suggest Life360's security promises may not be entirely accurate.

"We go to great lengths to ensure that your data is secure and that any information transmitted across our network is anonymous," Life360 says on its privacy policy page. "You are the only one with the ability to see your Tile location and your device location."

The Georgia Tech team's findings, if correct, suggest those assurances don't hold up in practice.

"Our work demonstrates that many of Tile's security claims were incorrect, insinuated but substantively wrong, [or] correct, but vulnerable to an active attacker," the team wrote. Without a clear response from Life360, it might be best to opt for a different brand of Bluetooth tracker if you're worried about privacy.

"In the version of the protocol we examined, Tile gets a user’s location at all times, and share this with law enforcement or others," Specter told us. "Users that are sensitive to this kind of privacy issue should consider not using the system." ®