Tile Trackers Transmit Data in Plain Text, Researchers Warn
Researchers at the Georgia Institute of Technology have discovered that Tile Bluetooth trackers transmit identification data in plain text—making it possible to identify and track their owners.
According to the team, multiple weaknesses in Tile devices contradict the security and privacy assurances offered by manufacturer Life360. Most notably, Tile servers continuously collect tracker location data, MAC addresses, and unique IDs without using end-to-end encryption.
Static Identifiers and Broadcast Risks
The devices themselves broadcast unencrypted Bluetooth signals that can be intercepted. Tile trackers use static MAC addresses, and their unique identifiers are only partially randomized, meaning they repeat over time. This allows attackers to profile and track a person’s movements without their knowledge.
In 2023, several stalking victims sued Life360, claiming that the company’s partnership with Amazon—which integrated Tile into the Sidewalk network—exacerbated risks for victims of surveillance. Since then, Android and Apple have rolled out anti-stalking features, but researchers say Tile trackers remain vulnerable.
A decompilation of the Tile Android app, combined with traffic analysis between a Tile Mate and a Google Pixel 3XL, showed that the tracker constantly broadcasts its static MAC address in plain text, making its anti-stalking measures largely ineffective.
Flawed Safety Features
Tile’s “Scan and Secure” mode, marketed as a safety feature, exposes tags to anyone who scans for them. Meanwhile, its anti-theft feature—intended for hiding devices on valuables—overrides this protection by making trackers invisible to Scan and Secure.
The researchers noted that while Tile servers conceal results for protected devices, a modified application can reveal all private IDs collected during scans.
“All major manufacturers except Tile have already implemented operating system–level anti-stalking measures that run in the background and alert users automatically,” the researchers explained. “By relying solely on manual, user-initiated scans, Tile leaves critical gaps in detection.”
Because Tile operates as a third-party application without OS-level access, it cannot perform background scans unless it adopts Apple or Google protocols.
Company Response
The study focused on the Tile Mate, but researchers believe other Life360 products using the same protocols are likely just as insecure.
“In the version of the protocol we analyzed, Tile constantly collects user location data and can share it with law enforcement or other parties,” the report states. “Users who value privacy should stop using these devices altogether.”
The team first reported the vulnerabilities to Life360 in November 2024, contacting the company’s CEO and customer support because there was no official disclosure channel. While Life360 initially acknowledged the findings, the researchers said communication eventually ceased.
They recommended technical fixes including:
- Randomizing MAC addresses
- Encrypting all transmitted data end-to-end
- Randomizing device identifiers
Life360 later told The Register that it had received the warnings and implemented improvements but offered little detail. The company stated that data in transit to its servers is encrypted and that it is in the process of adopting rotating MAC addresses.
