Tile Tracker Flaw Shows That Stalking Apps Focus on Gadget Data

A new security finding is warning that popular Bluetooth tags long considered a safe way to locate lost items could just as easily be turned into creepy eavesdropping devices, exposing legions of people to litigation and tracking without their knowledge.

Independent researchers claim the core design of Tile trackers makes them far too easy to follow, posing urgent questions about how location gadgets weigh convenience and safety.

Researchers found unencrypted, predictable Tile identifiers

Tile tags send out two identifiers over Bluetooth that are unencrypted: a MAC address, which is unique to the connected device; and a UUID, or unique tag ID.

A team at the Georgia Institute of Technology found that both of these identifiers are broadcast in the clear and can enable someone to track the location and movement pattern of any particular Tile user. That radio transmission can be read in real time by a nearby device or using low-cost radio receivers. That alone is an issue, but the group also discovered that the rotating identifier is predictable, meaning someone who captures a single transmission can predict future transmissions.

In more straightforward English, if a bad guy records one short radio “hello” from a Tile tucked inside a bag or a car, he can continue to reidentify that same tag in the future even as it attempts to rotate its identifiers. In other words, researchers showed that signal patterns are unique enough to accurately fingerprint a device for the long term.

Why This Lets You Track Users Persistently

Contemporary trackers seek to elude surveillance by rotating their identifiers and encrypting communications. Weak as they are, however, passive observers can interlace sightings across time and places. With predictable IDs, a stalker could construct a map of movement by setting up cheap Bluetooth scanners—say, single-board computers with off-the-shelf antennas—in the vicinity of home, work, or along a commute.

Unlike active tracking done by GPS or cell signals, this technique doesn’t leave much of a trail. The victim’s phone doesn’t have to make a noise, and no accounts need to be compromised. It’s the radio equivalent of staring at a license plate that just keeps changing but you know there’s a pattern here or soon you’ll be able to read it.

Server-side risks and data stewardship concerns

The team at Georgia Tech adds that unencrypted identifiers are sent back to company servers.

If true, that architecture would require the service operator to be able to correlate tag sightings at scale. While the company says it does not keep tabs on its customers’ individual locations, logging plaintext identifiers would theoretically allow such connections to be made easily; this raises the stakes of any data breach or misuse.

Security standards from bodies such as NIST suggest minimizing the gathering of unique identifiers, encrypting telemetry over the wire and at rest, and rotating IDs with cryptographically strong techniques. When consumer devices diverge from those practices, they can inadvertently produce data sets that are appealing to attackers and liable to subpoenas or abuse by insiders.

Impact on anti-stalking protections and alerts

Industrywide alerts are supposed to let you know when an unknown tracker is traveling with you. Apple and Google created cross-platform notifications which recognize unknown Bluetooth beacons and activate alerts on iOS and Android. But if an adversary watches from afar, passively receiving rather than pairing with a tag, those phone-based defenses might never sound.

Advocacy groups including the Electronic Frontier Foundation have long warned that anti-stalking tools must take into account a resourceful adversary. Predictable identifiers and cleartext telemetry lower the bar even more, making hobbyist-grade tracking a project you can tackle with a budget that’s less than the unit cost of buying a tracker.

How the company has responded to the findings

The researchers say they alerted the manufacturer’s parent company and shared technical details. Initial talks, they say, were followed by silence after promises that things were about to get better. The company, for its part, has said it has made changes and continues to invest in safety.

Independent verification will matter. A more comprehensive remedy would involve encrypting broadcast identifiers, transitioning to non-predictable rotating IDs, strengthening server-side telemetry processing, and releasing a public security white paper for scrutiny. External audits—so prevalent in payments and health care, but which PhotoDNA has never had—could restore confidence for something that travels with people every day.

Why the stakes are high for Bluetooth tracking safety

Tile and the like are everywhere because they solve a genuine problem: misplaced keys, bags, bikes.

Their superpower is the network effect—more devices, in more hands, mean more opportunities to locate a lost thing. But the same density of listeners magnifies risk when identifiers are traceable. Even a small fraction of misuse can be dangerous on a population level.

Police records and survivors’ accounts in the past few years emphasize that location trackers have been used in cases of domestic abuse and stalking. The lesson from past AirTag controversies is obvious: Safety needs to be a first-order design requirement, not something we figure out how to add if there are headlines after the fact.

What users can do now to reduce tracking risks

Owners should sign up for timely updates through the Tile app and ensure they have all previous software patches, review sharing settings, and consider temporarily disabling tags that are attached to particularly sensitive items. If you suspect that someone might be tracking your location without your permission, both iOS and Android need little more than for you to ask them to find out whether such an app has been installed; dedicated scanning tools (available for each platform) or relatively inexpensive Bluetooth analyzers can provide a useful second opinion. Domestic violence hotlines and digital security clinics might offer more targeted advice to those at high risk.

A credible path for the company includes cryptographic rotation with unpredictable beacons, strict telemetry minimization, and a public bug bounty to incentivize disclosure. If the system were secure and useful, technology could be safe—if it treated privacy as an essential feature rather than a future add-on.