AirCatch: Effectively tracing advanced tag-based trackers

Tag-based tracking ecosystems help users locate lost items, but can be leveraged for unwanted tracking and stalking. Existing protocol-driven defenses and prior academic solutions largely assume stable identifiers or predictable beaconing. However, identifier-based defenses fundamentally break down against advanced rogue trackers that aggressively rotate identifiers. We present AirCatch, a passive detection system that exploits a physical-layer constraint: while logical identifiers can change arbitrarily fast, the transmitter’s analog imprint remains stable and reappears as a compact and persistently occupied region in Carrier Frequency Offset (CFO) feature space. AirCatch advances the state of the art along three axes: (i) a novel, modulation-aware CFO fingerprint that augments packet-level CFO with content-independent CFO components that amplify device distinctiveness; (ii) a new tracking detection algorithm based on high core density and persistence that is robust to contamination and evasion through per-identifier segmentation; and (iii) an ultra-low-cost receiver, an approximately 10 dollar BLE SDR named BlePhasyr, built from commodity components, that makes RF fingerprinting based detection practical in resource-constrained deployments. We evaluate AirCatch across Apple, Google, Tile, and Samsung tag families in multi-hour captures, systematically stress-test evasion using a scenario generator over a grid of transmission and rotation periods, and validate in diverse real-world mobility traces including home and office commutes, public transport, car travel, and airport journeys while sweeping background tag density. Across these stress tests, AirCatch achieves no false positives and early detection over a wide range of adversarial configurations and environments, degrading gracefully only in extreme low-rate regimes that also reduce attacker utility.

💡 Research Summary

AirCatch addresses a critical gap in the security of BLE‑based item‑tracker ecosystems such as Apple AirTag, Google Find My, Tile, and Samsung SmartTag. While these systems provide valuable “lost‑mode” location services, they can be repurposed for covert stalking. Existing defenses rely on protocol‑level continuity—stable MAC addresses, predictable advertising intervals, or cryptographic payloads—and therefore break down when an adversary gains firmware control and rotates identifiers rapidly, duty‑cycles transmissions, or mimics benign traffic. AirCatch proposes a fundamentally different detection paradigm that does not depend on any identifier at all.

The key observation is that the analog imprint of a transmitter—principally the Carrier Frequency Offset (CFO) caused by oscillator and synthesizer imperfections—remains stable across arbitrary identifier changes. AirCatch extracts a modulation‑aware CFO fingerprint: besides the classic packet‑level CFO estimate (computed by averaging the phase of successive sample products), it decomposes the packet into symbol‑transition types (e.g., 0→1, 1→0) and computes a CFO value for each transition. This richer feature set captures subtle hardware‑specific quirks (phase‑noise patterns, IQ imbalance, non‑linearities) that are difficult to emulate without redesigning the radio hardware.

With these fingerprints, AirCatch implements a high‑core‑density and persistence detection algorithm. Packets are first segmented per identifier to avoid cross‑device contamination. Within each ecosystem (Apple, Google, Tile, Samsung) the CFO vectors are normalized and clustered. A cluster is flagged as a potential tracker when (i) its core region in CFO space is unusually compact (measured by median absolute deviation and inter‑quartile range) and (ii) it persists across multiple time windows, accumulating evidence from many short‑lived identifiers. Because each rotation contributes additional segments from the same physical emitter, the persistence signal actually strengthens under aggressive identifier churn.

To make the approach practical, the authors design BlePhasyr, an ultra‑low‑cost (~$10) BLE software‑defined radio built from commodity components (a cheap RF front‑end, a modest ADC, and a microcontroller). BlePhasyr captures raw IQ samples, performs on‑device CFO extraction, and streams the feature vectors to a companion Android app that presents user‑friendly alerts and optional technical diagnostics. The hardware requires only modest processing power and can be deployed in everyday environments (homes, offices, public transport) without specialized calibration.

The evaluation is extensive. Multi‑hour captures of the four major tag families are collected under controlled lab conditions and in the wild (home‑office commutes, buses, cars, and an airport scenario). A scenario generator systematically varies transmission intervals (from 1 s to several minutes) and identifier‑rotation periods, creating a grid of adversarial configurations. Across this grid, AirCatch achieves zero false positives and detects trackers early in the majority of cases. Detection remains robust when transmission intervals are as low as 30 seconds; only in extreme low‑rate regimes (≤ 1 packet per minute) does performance degrade, but such regimes also render the tracker ineffective for real‑time stalking. The system also tolerates dense background traffic, including “AirPods‑like” devices that emit frequently, thanks to the contamination‑resistant segmentation and robust statistical thresholds.

Limitations are acknowledged. An adversary equipped with hardware that deliberately randomizes or compensates CFO could defeat the fingerprint, though this requires substantial modifications to the transmitter’s RF front‑end. Complete silence (no transmissions) also defeats any passive detector, but this eliminates the tracker’s utility. Receiver jamming and physical compromise are out of scope.

In summary, AirCatch contributes:

1. A modulation‑aware CFO fingerprint that amplifies device distinctiveness beyond a single scalar offset.
2. A passive detection framework that remains effective under per‑packet identifier rotation and duty‑cycling, using core density and persistence metrics.
3. An affordable SDR platform (BlePhasyr) that brings RF‑fingerprinting to resource‑constrained deployments.
4. A comprehensive end‑to‑end validation across multiple ecosystems, adversarial configurations, and real‑world mobility traces.

The work demonstrates that physical‑layer invariants can provide reliable anti‑stalking guarantees where protocol‑level defenses fail, and it opens avenues for broader adoption of low‑cost RF‑based privacy tools.