Overview

• A Georgia Tech team reports that Tile tags broadcast a static MAC address alongside a rotating ID, and neither transmission is encrypted.
• The rotating-ID scheme is predictable, allowing an attacker to infer future identifiers and track a device after capturing a single broadcast.
• Researchers say location data, MAC addresses, and unique IDs are sent to Tile’s servers in cleartext, raising concerns about owner tracking that the company disputes.
• Attackers can intercept broadcasts and replay them elsewhere to fabricate proximity, creating a risk of falsely attributing a user’s presence.
• Enabling anti-theft mode hides a tag from anti-stalking scans, potentially helping stalkers evade detection; the findings were disclosed to Life360 in November, and researchers say communications ended in February.