Security researchers are shining the spotlight on a serious security vulnerability that could enable stalkers to track victims using their own Tile tags, as well as other unwanted violations of security and privacy. Research outlined by Wired shows that Tile’s anti-theft mode, which makes its trackers “invisible” on the Tile network, counteracts measures to prevent stalking. Bad actors could also potentially intercept unencrypted information sent from the tags, like their unique IDs and MAC addresses, and track their movements using other Bluetooth devices or an antenna. 

This isn’t news to Eva Galperin, the director of cybersecurity at the Electronic Frontier Foundation, who has raised concerns about the risks associated with Bluetooth-enabled trackers for years. “Tile has, historically, been a bad actor in this space in the sense that they have known about all of these problems with their design choices,” Galperin says. A statement from Tile noted “improvements” made since the problems were reported, but didn’t go into detail or address questions about encryption.

Item tracking tags attached to a keyring, wallet, or purse will transmit their information to a network of nearby phones, which send a tracker’s location, MAC address, and unique ID to Tile’s database and make it easy to find lost items. Apple’s AirTags and Samsung’s SmartTags operate using a similar system that pings off other devices to narrow down a tag’s location, while Google’s Find My Device network powers third-party trackers made by brands like Chipolo, Pebblebee, and Motorola.

Researchers Akshaya Kumar, Anna Raymaker, and Michael Specter of the Georgia Institute of Technology reverse-engineered the Tile app and say that while other companies rotate their tags’ unique IDs and MAC addresses in an attempt to make them harder for bad actors to track, Tile only switches up a device’s unique ID, allowing someone to link a MAC address to a specific tag. “An attacker only needs to record one message from the device … to fingerprint it for the rest of its lifetime,” Kumar tells Wired.

Galperin says that this is the kind of vulnerability that the EFF aims to prevent with its work on the Detecting Unwanted Location Trackers standard adopted by Google and Apple. “We have been trying to put together a set of standards that every maker of Bluetooth-enabled trackers should implement, which includes a bunch of best practices,” Galperin says. “One of them is frequently rotating your goddamn MAC address and sending information encrypted, instead of in the clear.”

Additionally, Wired reports that stalkers can easily thwart Tile’s “Scan and Secure” feature, which people can use to detect unwanted Tile trackers in their vicinity by turning on an “anti-theft” mode. The anti-theft setting hides a tracker from the Tile network to prevent someone from tracking and stealing the item it’s attached to. Tile only lets people use the feature if they provide a photo ID and agree to pay a $1 million fine if they’re convicted of misusing the feature. But, as pointed out by Galperin, “the stalker has to be caught, and they [Tile] have just provided the technology to make sure that wouldn’t happen.”

In a statement to The Verge, Kristi Collura, a spokesperson for Tile’s parent company, Life360, says it has “made a number of improvements” since the researchers alerted the company to the issue in November. “Using a Tile to track someone’s location without their knowledge is never okay and is against our terms of service,” Collura says.  Here’s Life360’s full statement:

Life360 takes the privacy and safety of our members and products very seriously. It’s why we participate in the HackerOne program (alongside thousands of tech companies), which allows ethical hackers and security researchers to responsibly disclose potential issues so we can review, address, and, where appropriate, implement changes. Since receiving the submission, we have made a number of improvements and are continually prioritizing work that helps families feel safe and connected, focusing on the areas that make the most impact for our members as we transition Tile to Life360’s broader platform. Using a Tile to track someone’s location without their knowledge is never okay and is against our terms of service. In the rare cases of alleged misuse, we prioritize collaboration with law enforcement and abide by Life360’s Law Enforcement Guidelines.