Review date: Nov. 8, 2021
If you're forgetful, spacy, or just anxious you're going to lose your wallet, trackers are great. Plop one of these little, colorful trackers in your bag, wallet, car, or favorite hoodie and keep track of it through the Bluetooth on your phone and the Chipolo app up to 60 meters around you. Get the Chipolo ONE Spot and get all the same benefits plus track all your belongings in the world through Apple's Find My network of millions of devices. Yay for never (well, probably not never) losing anything ever again.
What could happen if something goes wrong?
Chipolo’s little Bluetooth trackers -- the ONE and the ONE Spot help users track lost stuff. The ONE Spot works on Apple’s huge Find My network, which is great if you’ve lost something out of Bluetooth range. The biggest concern with the Apple ‘s own Airtag trackers that work on their Find My network when they came out earlier in 2021 was whether they could be abused for stalking. Apple took steps to mitigate these concerns, by shortening the time an Airtag will sound an alert when separated from its owner from 3 days down to 8-24 hours. They also promised an Android app to allow Android phones to received alerts too. These are all good, if imperfect, steps forward. And while Chipolo does say they have unwanted tracking protection, unfortunately it looks like Chipolo hasn’t made the same updates to their ONE Spot trackers Apple made to their Airtags to strengthen these protections. In part because it would require a firmware update to the tracking device and Chipolo told us their latest trackers do not have a firmware update mechanism. This is a big concern for a device that could track users just about anywhere in the world on Apple’s Find My network of millions of phones and iPads.
When it comes to privacy, Chipolo says they may share some of your personal information, including name and device IDs with third parties like Google and Facebook for advertising purposes. They also say they may use your location information to provide you with personalized offers with your explicit consent. All in all, Chipolo’s privacy practices aren’t terrible, they also aren’t as strong as the privacy practices Apple uses for their Airtag trackers. Apple also uses stronger encryption to protect your location data.
What’s the worst that could go wrong with Chipolo’s trackers? Well, because we can’t confirm they have implemented the same stronger anti-stalking measures that Apple Airtags have to help protect users from unwanted tracking on Apple’s huge Find My network, we’re concerned the Chipolo ONE Spot tracker could be used to stalk an unsuspecting person, putting them in danger. This is the scary reality of our world with small, cheap tracking devices tied into a network of millions of connected devices. We hope Chipolo figures out how to better protect their user’s from stalking soon.
Tips to protect yourself
Check the tips on how to know if someone is tracking you without your consent.
What can be used to sign up?
What data does the company collect?
Contact information, location
How does the company use this data?
How can you control your data?
What is the company’s known track record of protecting users’ data?
No known incidents in the last 3 years.
Can this product be used offline?
Bluetooth connection is still required to use the device.
User-friendly privacy information?
Links to privacy information
Does this product meet our Minimum Security Standards?
A security researcher says that Chipolo app is using static keys, which is weak. (https://blog.d204n6.com/2020/08/ios-chipolo-app-research-and-encrypted.html) According to the company, the physical devices (Chipolos) communicate with the owner's phone via a Bluetooth Low Energy connection and they don't use any extra encryption except what is already provided by the Bluetooth Low Energy's transport layer. There are, however, no personal information included in this communication - it is basically just a mechanism for the app to detect if a specific Chipolo is nearby and to make it ring on demand. Their apps use TLS for encrypting data in transit to the servers"
Only mobile apps require users to login. Chipolo do basic checks for password strength when people decide to use a login with a password.
The latest Chipolo devices does not have a firmware update mechanism. The Chipolo app has regular updates.
Manage security vulnerabilities. Bug bounty is in the process of creation.
Got a comment? Let us hear it.