AirCatch: Effectively tracing advanced tag-based trackers

TL;DR

AirCatch tackles the rising threat of advanced BLE trackers that rotate identifiers to evade traditional, protocol-based defenses. It introduces a modulation-aware CFO fingerprint that combines packet-level CFO with transition CFOs, forming a compact 5-dimensional signature that remains stable under per-transmission rotation. Through a segmentation- and core-density–driven detection pipeline, AirCatch detects persistent, densely occupied CFO regions associated with co-located trackers, achieving zero false positives in diverse mobility scenarios. The system is implemented as BlePhasyr, a low-cost BLE SDR, and validated across multiple ecosystems, demonstrating practical viability for real-world anti-tracking deployments.

Abstract

Tag-based tracking ecosystems help users locate lost items, but can be leveraged for unwanted tracking and stalking. Existing protocol-driven defenses and prior academic solutions largely assume stable identifiers or predictable beaconing. However, identifier-based defenses fundamentally break down against advanced rogue trackers that aggressively rotate identifiers. We present AirCatch, a passive detection system that exploits a physical-layer constraint: while logical identifiers can change arbitrarily fast, the transmitter's analog imprint remains stable and reappears as a compact and persistently occupied region in Carrier Frequency Offset (CFO) feature space. AirCatch advances the state of the art along three axes: (i) a novel, modulation-aware CFO fingerprint that augments packet-level CFO with content-independent CFO components that amplify device distinctiveness; (ii) a new tracking detection algorithm based on high core density and persistence that is robust to contamination and evasion through per-identifier segmentation; and (iii) an ultra-low-cost receiver, an approximately 10 dollar BLE SDR named BlePhasyr, built from commodity components, that makes RF fingerprinting based detection practical in resource-constrained deployments. We evaluate AirCatch across Apple, Google, Tile, and Samsung tag families in multi-hour captures, systematically stress-test evasion using a scenario generator over a grid of transmission and rotation periods, and validate in diverse real-world mobility traces including home and office commutes, public transport, car travel, and airport journeys while sweeping background tag density. Across these stress tests, AirCatch achieves no false positives and early detection over a wide range of adversarial configurations and environments, degrading gracefully only in extreme low-rate regimes that also reduce attacker utility.

Figures (10)

• Figure 1: BlePhasyr. The BLE micro-SDR receives IQ data and sends triggered IQ bursts to a host for BLE decoding and CFO estimation. The Android app presents an end-user alert and optional technical views of nearby tag activity.
• Figure 2: Stability of CFO-based fingerprints under SDR capture.
• Figure 3: BlePhasyr validation: CFO stability/separation on commodity tags, and separability of advanced adversary devices.
• Figure 4: CFO estimates from prior CFO-based fingerprinting cfo_ucsd. Outputs show high variance, contrasting with the stable tens-of-kHz regime of our CFO/transition-CFO pipeline.
• Figure 5: Transition-CFO fingerprints ($\Delta f_{00}$, $\Delta f_{01}$, $\Delta f_{10}$, $\Delta f_{11}$) in kHz for commodity tags. Transition-conditioned CFO features remain stable per device and provide additional separation beyond a single CFO offset.