Chipolo ONE
Wearables Trackers

Chipolo ONE

Chipolo
Bluetooth

Review date: Nov. 8, 2021

|
Mozilla researched 6 hours
|

Mozilla says

|
People voted: Very creepy

If you're forgetful, spacy, or just anxious you're going to lose your wallet, trackers are great. Plop one of these little, colorful trackers in your bag, wallet, car, or favorite hoodie and keep track of it through the Bluetooth on your phone and the Chipolo app up to 60 meters around you. Get the Chipolo ONE Spot and get all the same benefits plus track all your belongings in the world through Apple's Find My network of millions of devices. Yay for never (well, probably not never) losing anything ever again.

What could happen if something goes wrong?

Chipolo’s little Bluetooth trackers -- the ONE and the ONE Spot help users track lost stuff. The ONE Spot works on Apple’s huge Find My network, which is great if you’ve lost something out of Bluetooth range. The biggest concern with the Apple ‘s own Airtag trackers that work on their Find My network when they came out earlier in 2021 was whether they could be abused for stalking. Apple took steps to mitigate these concerns, by shortening the time an Airtag will sound an alert when separated from its owner from 3 days down to 8-24 hours. They also promised an Android app to allow Android phones to received alerts too. These are all good, if imperfect, steps forward. And while Chipolo does say they have unwanted tracking protection, unfortunately it looks like Chipolo hasn’t made the same updates to their ONE Spot trackers Apple made to their Airtags to strengthen these protections. In part because it would require a firmware update to the tracking device and Chipolo told us their latest trackers do not have a firmware update mechanism. This is a big concern for a device that could track users just about anywhere in the world on Apple’s Find My network of millions of phones and iPads.

When it comes to privacy, Chipolo says they may share some of your personal information, including name and device IDs with third parties like Google and Facebook for advertising purposes. They also say they may use your location information to provide you with personalized offers with your explicit consent. All in all, Chipolo’s privacy practices aren’t terrible, they also aren’t as strong as the privacy practices Apple uses for their Airtag trackers. Apple also uses stronger encryption to protect your location data.

What’s the worst that could go wrong with Chipolo’s trackers? Well, because we can’t confirm they have implemented the same stronger anti-stalking measures that Apple Airtags have to help protect users from unwanted tracking on Apple’s huge Find My network, we’re concerned the Chipolo ONE Spot tracker could be used to stalk an unsuspecting person, putting them in danger. This is the scary reality of our world with small, cheap tracking devices tied into a network of millions of connected devices. We hope Chipolo figures out how to better protect their user’s from stalking soon.

Tips to protect yourself

Check the tips on how to know if someone is tracking you without your consent.

  • mobile

Can it snoop on me? information

Camera

Device: No

App: No

Microphone

Device: No

App: No

Tracks location

Device: Yes

App: Yes

What can be used to sign up?

What data does the company collect?

How does the company use this data?

Chipolo may share your data (including Personal Information) with their affiliates or Data Processing Partners. These include, for example, Amazon, Google Analytics, Facebook. Chipolo may share information that can be used to personally identify your device (e.g. persistent identifiers such as IDFA, IDFV, advertising ID and IP address) for the purposes of displaying advertisements.

How can you control your data?

You can request deletion or correction of your information. Chipolo promises they will store your information for no longer than necessary.

What is the company’s known track record of protecting users’ data?

Average

No known incidents in the last 3 years.

Can this product be used offline?

Yes

Bluetooth connection is still required to use the device.

User-friendly privacy information?

Yes

Links to privacy information

Does this product meet our Minimum Security Standards? information

Yes

Encryption

Yes

A security researcher says that Chipolo app is using static keys, which is weak. (https://blog.d204n6.com/2020/08/ios-chipolo-app-research-and-encrypted.html) According to the company, the physical devices (Chipolos) communicate with the owner's phone via a Bluetooth Low Energy connection and they don't use any extra encryption except what is already provided by the Bluetooth Low Energy's transport layer. There are, however, no personal information included in this communication - it is basically just a mechanism for the app to detect if a specific Chipolo is nearby and to make it ring on demand. Their apps use TLS for encrypting data in transit to the servers"

Strong password

Yes

Only mobile apps require users to login. Chipolo do basic checks for password strength when people decide to use a login with a password.

Security updates

No

The latest Chipolo devices does not have a firmware update mechanism. The Chipolo app has regular updates.

Manages vulnerabilities

Yes

Manage security vulnerabilities. Bug bounty is in the process of creation.

Privacy policy

Yes

Does the product use AI? information

No

*privacy not included

Dive Deeper

  • I found my stolen Honda Civic using a Bluetooth tracker. It’s the latest controversial weapon against theft.
    The Washington Post
  • 5 Best AirTag Alter­na­tives for Android Users
    Guiding Tech
  • AirTag vs. Tile Mate vs. Chipolo ONE Spot: Which should you buy?
    iGeeksBlog
  • iOS - Chipolo App Research and Encrypted Realm Databases
    D20 Forensics
  • Can Stalkers Track You Using Apple AirTags?
    Kinza Yasar

Comments

Got a comment? Let us hear it.