Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Security and Privacy Analysis of Tile's Location Tracking Protocol

Akshaya Kumar, Anna Raymaker, Michael Specter

TL;DR

This paper addresses the privacy and security risks of crowd-sourced location tracking via Tile's Offline Finding protocol by reverse-engineering Tile's Android app to reconstruct the protocol and experimentally validate vulnerabilities. It finds that Tile's servers can learn location histories, that passive RF adversaries can correlate Bluetooth advertisements to track users, and that Anti-Theft and accountability features are weak and exploitable. The work benchmarks Tile against Apple and Samsung, highlighting weaker end-to-end privacy guarantees and proposing concrete mitigations such as end-to-end encryption, real-time privateId generation, and updated authKey handling during transfers. It argues for formal definitions of accountability in Offline Finding networks and calls for greater transparency to balance privacy with abuse deterrence in practical deployments.

Abstract

We conduct the first comprehensive security analysis of Tile, the second most popular crowd-sourced location-tracking service behind Apple's AirTags. We identify several exploitable vulnerabilities and design flaws, disproving many of the platform's claimed security and privacy guarantees: Tile's servers can persistently learn the location of all users and tags, unprivileged adversaries can track users through Bluetooth advertisements emitted by Tile's devices, and Tile's anti-theft mode is easily subverted. Despite its wide deployment -- millions of users, devices, and purpose-built hardware tags -- Tile provides no formal description of its protocol or threat model. Worse, Tile intentionally weakens its antistalking features to support an antitheft use-case and relies on a novel "accountability" mechanism to punish those abusing the system to stalk victims. We examine Tile's accountability mechanism, a unique feature of independent interest; no other provider attempts to guarantee accountability. While an ideal accountability mechanism may disincentivize abuse in crowd-sourced location tracking protocols, we show that Tile's implementation is subvertible and introduces new exploitable vulnerabilities. We conclude with a discussion on the need for new, formal definitions of accountability in this setting.

Security and Privacy Analysis of Tile's Location Tracking Protocol

TL;DR

This paper addresses the privacy and security risks of crowd-sourced location tracking via Tile's Offline Finding protocol by reverse-engineering Tile's Android app to reconstruct the protocol and experimentally validate vulnerabilities. It finds that Tile's servers can learn location histories, that passive RF adversaries can correlate Bluetooth advertisements to track users, and that Anti-Theft and accountability features are weak and exploitable. The work benchmarks Tile against Apple and Samsung, highlighting weaker end-to-end privacy guarantees and proposing concrete mitigations such as end-to-end encryption, real-time privateId generation, and updated authKey handling during transfers. It argues for formal definitions of accountability in Offline Finding networks and calls for greater transparency to balance privacy with abuse deterrence in practical deployments.

Abstract

We conduct the first comprehensive security analysis of Tile, the second most popular crowd-sourced location-tracking service behind Apple's AirTags. We identify several exploitable vulnerabilities and design flaws, disproving many of the platform's claimed security and privacy guarantees: Tile's servers can persistently learn the location of all users and tags, unprivileged adversaries can track users through Bluetooth advertisements emitted by Tile's devices, and Tile's anti-theft mode is easily subverted. Despite its wide deployment -- millions of users, devices, and purpose-built hardware tags -- Tile provides no formal description of its protocol or threat model. Worse, Tile intentionally weakens its antistalking features to support an antitheft use-case and relies on a novel "accountability" mechanism to punish those abusing the system to stalk victims. We examine Tile's accountability mechanism, a unique feature of independent interest; no other provider attempts to guarantee accountability. While an ideal accountability mechanism may disincentivize abuse in crowd-sourced location tracking protocols, we show that Tile's implementation is subvertible and introduces new exploitable vulnerabilities. We conclude with a discussion on the need for new, formal definitions of accountability in this setting.

Paper Structure

This paper contains 28 sections, 5 figures, 3 tables.

Table of Contents

  1. Introduction
  2. Background
  3. Offline finding systems
  4. Security properties and threat models
  5. Tile's claims of security
  6. Related work
  7. Methodology
  8. Tile's offline finding protocol
  9. Owner/Finder registration
  10. Tag activation
  11. Tag-Owner interactions
  12. Tag-Finder-Server interactions
  13. Owner-Server interactions
  14. Scan and Secure
  15. Anti-Theft mode
  16. ...and 13 more sections

Figures (5)

  • Figure 1: The components involved in an OF protocol.
  • Figure 2: An overview of the various steps involved in Tile tracker activation.
  • Figure 3: The authentication protocol used by the Tile tracker to authenticate itself to the owner device.
  • Figure 4: Location reporting in the lost mode.
  • Figure 5: Tile's community information feature.