ZeroTrace AirLeak
Alerts in Practice
Using the alert engine to find what matters
The alert engine turns "AirLeak captures everything" into "AirLeak flags what matters." Each observation runs through the rule set, and matches surface as the device's severity (a color bar in the list) and drive the on-device threat-indicator LED.
This tutorial covers how to read alerts effectively. For the precise trigger of each rule, see the Alert Rules reference.
The firmware fires alerts locally, they fill the on-device alert ring and drive the threat-indicator LED, but it no longer pushes a per-alert event to the app (the app has no alerts-feed consumer yet, and pushing them wasted BLE bandwidth). In the app you currently see their effect as the per-device severity (the red row highlight / Severe filter) rather than a dedicated alert log. A wired-up alerts feed is a future addition.
Severity levels
The firmware uses a compact 0–2 band, distinct from a device's 0–100 leakage score:
| Level | Meaning |
|---|---|
| 0, Info | Informational; not necessarily a problem |
| 1, Low | Minor or expected behaviour worth noting |
| 2, High | Real exposure or a strong tracking signal |
The rules that fire
The BLE-only firmware evaluates these rules:
| Rule | Severity | In one line |
|---|---|---|
airdrop_discoverable | 2 | A nearby device has AirDrop on "Everyone" |
high_leakage_score | 2 | A device's combined leakage score hit 60+/100 |
multi_hour_follower | 2 | A non-random MAC seen across 3+ hour windows |
smarttag_separated | 2 | A Samsung SmartTag broadcasting away-from-owner |
findmy_separated | 1 | A Find My / AirTag accessory separated from its owner |
unknown_tracker_near | 1 | A separated tracker beacon seen persistently, or one signalling UTP |
nearby_phone_unlocked | 0 | A nearby Apple device unlocked during active audio/call |
Each is rate-limited per device (30 s default; some tracker rules use 5–10 minute windows) so a persistent condition doesn't flood the ring.
Reading common patterns
Multi-hour follower (severity 2)
The one to take seriously. A device has been near you across several hours. If you don't recognize it, see Tracker Detection and use Hunt to confirm whether it actually moves with you.
Find My separated (severity 1)
A Find My device (AirTag or accessory) is broadcasting in separated-from-owner mode. Most are forgotten or lost trackers in public spaces, informational. If one stays with you it escalates toward multi_hour_follower.
Unknown tracker near (severity 1)
A separated tracker beacon (Tile / Find My / FMDN) observed repeatedly, or a tracker actively broadcasting an unwanted-tracking-protection signal. Worth a look in a space where you didn't expect a tracker.
AirDrop discoverable (severity 2)
A nearby iPhone has AirDrop on "Everyone", broadcasting Apple ID / phone-number hash prefixes. Mostly informational; if it's your device, set AirDrop to Contacts-only.
High leakage score (severity 2)
A device is exposing enough across multiple BLE signals to score 60+/100. Open its detail page to see which signals are driving the score.
Retired WiFi alerts
Earlier AirLeak fired WiFi-based alerts, corporate / PII / airport / hotel / café SSID-in-probe, open / WEP / WPA-personal networks, WPS, MFP, deauth bursts. Those were removed with the WiFi capture path; the BLE-only firmware can't see WiFi, so it can't evaluate them. If you remember those alerts from an older build, that's why they're gone.
The alert ring
The firmware keeps the most recent 128 alerts in an in-RAM ring (oldest evicted when full). It's operational state, cleared on reboot. For a durable record, the on-flash diagnostic log (diag.read) keeps timestamped heap / safe-mode / boot events.
What alerts are NOT
Alerts are heuristics based on observed signals. They are not definitive proof of an attack, not real-time tracking confirmation, and not forensic-grade evidence on their own. Use them as starting points for investigation.
If you enable the threat-indicator LED (led_threat_indicate), fired alerts drive the unit's LED, a hands-off "something nearby is worth a look" cue. Its thresholds are tuned via the threat_* settings; see Settings.