Tile Trackers Have a Horrible Security Flaw
Summary
-
The tile labels diffuse a non -encrypted static mac and static IDs, allowing anyone with RF Gear follows you.
-
The network of tiles sends the location of the tag, Mac and ID not encrypted to servers, allowing mass monitoring.
-
The anti-stalking of the tile is low: manual analyzes only and the anti-theft mode can hide a tracker with detection.
The biggest problem with trackers is ease of use by stalkers. Thus, when harasslers can use yours Trackers are a problem. And that seems to be what happens to tile trackers at the moment. Yikes.
Carreau trackers apparently have important security and confidentiality defects that could allow harassleurs, and even the company itself, to follow user locations, according to a new georgia Institute of Technology researchers report. The results contradict the complaints made by the parent company of Tile, Life360, on the security of its network.
The research team – composed of Akshaya Kumar, Anna Raymaker and Michael Specter – said that each tile label broadcast an unacypted mac address as well as a unique ID. This combination allows anyone with basic radio frequency equipment to intercept the signal and follow the physical movement of the label, and by extension, its owner, over time. The unique ID turns periodically, but because the MAC address remains constant, it serves as a permanent fingerprint for the device.
This vulnerability extends more than a simple localized follow -up. The researchers noted that when the location of a tile label is taken up by the wider network of user phones or devices on Amazon sidewalks, these data – including the location, the Mac address of the tag and the unique ID – are sent unacyed to tile servers. The document indicates that this information is probably stored in clear text, giving the tiles the possibility of leading “mass monitoring” on its user basis. We do not say that this happens, we simply say that there is a zero chance.
The report also details very bad failures in the anti-stalking features of Tile. Tile’s “scan and secure” system, designed to detect unknown tags traveling with a user, is deeply defective. Unlike Apple or Samsung systems that run continuous and automatic background analyzes, the tile requires that a user manually initiates a 10 -minute scan during the trip. This makes sporadic detection and depends on the user diligence.
And perhaps more alarming, this already low protection can be completely deactivated by a harasser using the “anti-theft mode” of Tile. When a tag owner allows this mode, his device becomes invisible to search for “scanner and secure” searches. A stalker could simply activate this feature on a hidden tag, which makes his victim blind to the device that followed them. Although the tiles oblige users to subject an identifier issued by the government to activate the mode and accept a potential fine of $ 1 million if they are recognized as guilty of hunt, the researchers note that the functionality creates a dangerous escape that other manufacturers have deliberately avoided.
Georgia Tech’s team revealed its conclusions to Life360 in November of last year, but they report that the company has stopped communication in February. We do not know if it will actually lead to changes, but in the meantime, you may want to avoid tile trackers now that all this is public information.
Source: Clated via engadget
