Tile’s Privacy Failures Leave Trackers Wide Open to Stalking

Security researchers have uncovered critical vulnerabilities in Tile’s location trackers that could allow stalkers to covertly monitor users by exploiting the devices’ lack of encryption. 

The flaws highlight longstanding privacy concerns surrounding Bluetooth-enabled trackers, which are marketed as tools to help people locate lost items but can be exploited for invasive surveillance.

“Tile has, historically, been a bad actor in this space in the sense that they have known about all of these problems with their design choices,” said Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation.

Privacy at risk

Tile trackers, manufactured by Life360, are widely used to track personal items such as keys, wallets, or bags. 

However, according to researchers from the Georgia Institute of Technology, the way Tile devices communicate leaves owners exposed to stalking. Unlike Apple AirTags and Samsung SmartTags, which rotate both unique identifiers and MAC addresses, Tile only rotates the unique identifier, allowing adversaries to fingerprint and track a tag indefinitely.

This vulnerability matters because it extends beyond hypothetical misuse. 

Location trackers are already under scrutiny due to high-profile stalking cases involving AirTags, prompting Apple and Google to adopt industry standards for detecting unwanted location trackers.

The tag issue underscores the importance of evaluating third-party devices that may intersect with employee privacy and corporate risk. It also highlights the broader challenge of striking a balance between consumer convenience and robust data protection.

Why tile fails against stalking

At the core of the issue is Tile’s failure to encrypt data broadcast by its trackers.

Each device transmits its MAC address and unique ID in plaintext over Bluetooth. Researchers found that this makes it trivial for attackers to intercept broadcasts using common Bluetooth sniffers or antennas. Once an attacker links a tag’s MAC address to its ID, they can monitor its movements for the device’s lifetime.

But when users enable “anti-theft mode,” which requires uploading a photo ID and agreeing to penalties for misuse, the tracker becomes invisible on Tile’s network. While intended to prevent theft, researchers argue that this feature also prevents victims from discovering they are being tracked.

Compounding the problem, it is reported that data sent to Tile’s servers, including MAC addresses and IDs, is also stored unencrypted. This means not only are users exposed to malicious actors, but the company itself may retain more information than it acknowledges.

Hardening against Bluetooth abuse

To reduce the risks posed by insecure Bluetooth tracking devices, security teams should implement the following safeguards:

• Conduct regular device audits to identify Bluetooth trackers or similar devices present in corporate environments.
• Educate employees on the privacy and security risks of Bluetooth-enabled trackers, including how unencrypted broadcasts can be intercepted.
• Restrict or prohibit the use of personal Bluetooth tracking devices in sensitive or high-security areas, such as data centers or executive offices.
• Recommend or provide alternatives that use stronger privacy protections, such as encrypted transmissions and rotating MAC addresses.
• Monitor for anomalous Bluetooth activity by scanning for unexpected broadcasts or unauthorized devices in office environments.
• Incorporate Bluetooth tracker risks into broader security policies, vendor assessments, and incident response planning exercises.

The fallout: lawsuits and scrutiny

The Tile vulnerability is part of a larger conversation about the unintended consequences of consumer technology. Location trackers are marketed as convenience tools, but their misuse exposes individuals — and by extension, workplaces — to surveillance and safety risks.

The ongoing lawsuits against Tile, Life360, and Amazon over alleged misuse of tracking devices illustrate that regulators and courts are beginning to grapple with the societal impacts of these technologies. 

At the same time, industry standards like the Detecting Unwanted Location Trackers protocol demonstrate that technical safeguards are both possible and necessary.

The lesson is clear: consumer technologies cannot be viewed in isolation. The overlap between personal devices and professional environments means that even products designed for household use can create enterprise-wide risks if their security posture is weak.

Tile’s failure to encrypt communications and adequately rotate device identifiers leaves its trackers vulnerable to abuse by stalkers and other malicious actors. Although Tile claims improvements, research suggests stronger safeguards are still needed.

As consumer devices increasingly double as workplace tools, organizations must consider privacy and security holistically. Even minor design oversights — such as broadcasting an unencrypted MAC address — can have significant real-world consequences if not addressed promptly.

These risks highlight why organizations must move beyond basic defenses and embrace Zero-Trust principles to protect data and users