Overview

• Georgia Tech researchers report that Tile tags broadcast a static MAC address alongside a rotating ID in plaintext, and that the ID-generation method allows a device to be fingerprinted from a single captured message.
• The researchers say anyone with basic radio equipment can intercept these broadcasts, and that location, MAC address, and unique ID are also sent unencrypted to Tile’s servers where they believe the data is stored in cleartext.
• Captured MAC/ID data can be replayed in a different place to create false evidence that a specific tag was near a victim, enabling a framing risk the researchers describe.
• Tile’s anti-theft mode makes trackers invisible to the Tile network and to its Scan and Secure checks, a design that privacy advocates warn can help stalkers evade detection.
• The team disclosed the flaws to Life360 in November 2024 and says communications ceased in February; Life360 cites unspecified security improvements, HackerOne participation, and a ban on surreptitious tracking, while experts urge encryption and frequent MAC rotation.