This study presents the first comprehensive security analysis of the Tile crowdsourced location-tracking system, uncovering four critical vulnerabilities: (1) the server continuously collects real-time location data for all users and tags; (2) unencrypted Bluetooth advertisements enable long-term passive tracking by unprivileged adversaries; (3) the anti-theft mode suffers from a fundamental design flaw that permits trivial bypass; and (4) its novel “accountability” mechanism—intended to enhance trust—introduces new attack surfaces due to flawed implementation. We employ protocol reverse engineering, formal threat modeling, and empirical Bluetooth behavioral analysis to rigorously characterize the system’s security and privacy boundaries. Our findings demonstrate that Tile fails to uphold its stated privacy guarantees. Beyond exposing concrete weaknesses, this work contributes a formal definition of accountability in location-tracking systems and proposes actionable, deployable security enhancements for crowdsourced localization platforms.

We conduct the first comprehensive security analysis of Tile, the second most popular crowd-sourced location-tracking service behind Apple's AirTags. We identify several exploitable vulnerabilities and design flaws, disproving many of the platform's claimed security and privacy guarantees: Tile's servers can persistently learn the location of all users and tags, unprivileged adversaries can track users through Bluetooth advertisements emitted by Tile's devices, and Tile's anti-theft mode is easily subverted. Despite its wide deployment -- millions of users, devices, and purpose-built hardware tags -- Tile provides no formal description of its protocol or threat model. Worse, Tile intentionally weakens its antistalking features to support an antitheft use-case and relies on a novel "accountability" mechanism to punish those abusing the system to stalk victims. We examine Tile's accountability mechanism, a unique feature of independent interest; no other provider attempts to guarantee accountability. While an ideal accountability mechanism may disincentivize abuse in crowd-sourced location tracking protocols, we show that Tile's implementation is subvertible and introduces new exploitable vulnerabilities. We conclude with a discussion on the need for new, formal definitions of accountability in this setting.