Introduction

Welcome to ZeroTrace AirLeak

ZeroTrace AirLeak is a passive RF capture tool. It listens to every WiFi management frame and BLE advertisement in range and tells you what's broadcasting around you, names, models, vendors, OS versions, paired-device states, probed-network history, privacy-leakage signals, and more.

A small ESP32-S3-based capture unit handles the radio work. You connect it to a computer over USB-C, open the ZeroTrace Desktop App, and start capturing. The unit ships pre-configured and pre-flashed, plug, click Monitor, see what's around you.

What it does in one paragraph

The unit sweeps every 2.4 GHz WiFi channel and runs a continuous BLE active scan. Each captured frame is decoded into a structured event: probe-requests, beacons, BLE advertisements, scan responses, association attempts, and deauthentications, with full RSN / AKM / MFP parsing for WiFi and full Apple Continuity / Find My / Tile / Eddystone / vendor-payload decoding for BLE. Every observation feeds a live device aggregator with a multi-signal classifier that boils all that down to what the device actually is, iPhone, AirPods Pro 2, Galaxy Watch 5, Samsung TV, AirTag, Tile, smart-home sensor, etc. The desktop app receives the live stream, persists every observation, runs privacy alerts, and presents it all in a fast, filterable, per-device-detail UI.

Core capabilities

• Dual-radio passive capture, WiFi 2.4 GHz channel hopping + BLE 5.0 scan, simultaneously
• Active BLE scan with friendly-name capture, captures device names that passive-only tools miss
• 150+ recognized device classes, Apple ecosystem fully decoded, plus Android phones, smart TVs, headphones, fitness trackers, item finders, IoT sensors, vehicles, smart locks, robot vacuums, drones, e-bikes, retail beacons
• Privacy-leak detection, AirDrop discoverable, Find My separated, corporate / PII SSID in probe-requests, multi-hour MAC followers, separated SmartTags
• WiFi crypto inspection, full RSN parse with cipher, AKM, MFP, country, BSS load, 802.11r / 802.11k support flags
• Live event stream, per-event delivery to the desktop with sub-second latency
• Session recording, every capture auto-saved, replayable, exportable
• Cross-session library, devices remembered across reboots, fingerprint-keyed, MAC-rotation-tolerant
• Heartbeat diagnostics, heap, uptime, scan state, drop rate, throttle stats
• Persistent settings, active scan, scan timing, capture mode all survive reboot

What you get out of the box

Each unit ships:

• Hand-assembled and tested
• Pre-flashed with the latest firmware
• Default capture settings tuned for typical environments
• External-antenna ready (WROOM-1U variant), 3 dBi dipole bundled in the box

Use cases

• Personal threat-surface audit, what does your phone broadcast about you? Your laptop? Your headphones?
• Room sweep, what trackers, watches, or unknown devices are in this space?
• Travel privacy, airport / hotel WiFi survey, AirTag-following detection
• Conference room sanity check, open networks, devices broadcasting hostnames, BLE peripherals advertising
• Security research, passive RF leakage characterization of consumer devices
• Vendor engineering, verify a product isn't leaking PII in its BLE advertisements