Skip to content

ZeroTrace AirLeak

Privacy Audit

Auditing what your own devices broadcast

Most people don't realize how much their devices say to the room. Their phone broadcasts the network names of every WiFi they've ever joined. Their AirPods reveal battery levels and case state to any nearby device. Their laptop announces its hostname. Their watch broadcasts a unique identifier persistently.

This tutorial walks through using AirLeak to audit your own devices and tighten what they leak.

The setup

You'll do this best in a quiet space — your home, an empty office room. Fewer ambient devices means easier focus on yours.

  1. Connect AirLeak and switch to Monitor.
  2. Open the Devices page.
  3. Bring out the devices you want to audit: phone, laptop, AirPods, watch, etc.
  4. Wait about 60 seconds for them to populate the list.

You should now see your devices in the BLE table. Use Search to find them by name (e.g. type your iPhone's name, or AirPods).

Auditing your iPhone

Click your iPhone in the device list to open its detail page.

What to look at

Header card:

  • Name — does it contain personal info? Sarah's iPhone is identifying. Consider renaming via Settings → General → About → Name to something less personal.
  • Class confidence — should be high (≥80) for a properly-broadcasting iPhone.

Apple state section:

  • Last action — shows when the screen was last on/off, when you were last in a call.
  • OS major version — confirms the iOS version your phone broadcasts. Anyone in BLE range knows this.

Probed SSIDs:

  • Open the collapsible. This is the big one.
  • If you see your home WiFi name (Home_5G, MyFamily-WiFi), your phone is probing for it actively.
  • If you see hotel SSIDs (Hilton_HONORS, Marriott_GUEST), your phone reveals where you've stayed.
  • If you see corporate SSIDs (Acme-Corp-WiFi), your phone reveals your employer.

To reduce probe-leak: forget WiFi networks you no longer need. Settings → WiFi → Edit → tap the i next to each network → "Forget this network."

For corporate WiFi, consider not auto-joining — keep it as a manual-connect-only network.

Auditing your AirPods

Find your AirPods in the BLE table — search for "AirPods" or your case's name.

What to look at

  • Battery section — AirPods broadcast L/R/case battery percentages openly. Anyone nearby with a tool like AirLeak can see your AirPods are at 30 % left, 28 % right.
  • Lid state — opening the case is observable. So is "in your ear vs in the case."
  • Adv interval — pairing mode (lid open) advertises every ~30 ms; idle mode every ~1280 ms. If you see fast advertising frequently, the lid is opening more than you think.

There's not much to fix here — AirPods are designed to broadcast their pair-state widely, that's how they pair instantly with your devices. But it's worth knowing the privacy cost.

Auditing your laptop

Search for your laptop. Windows machines typically show as DESKTOP-XXXXX; Macs show MacBook plus the user-customized name.

What to look at

  • Name — Windows machines default to DESKTOP-<random> which is fine. Macs default to <UserFirstName>'s MacBook which is identifying. Consider renaming.
  • MAC — laptops often have stable BLE MACs. Compare across multiple sessions: if the same MAC keeps appearing, your laptop's BLE address is permanent.
  • Service UUIDs — desktops/laptops typically expose Device Information (0x180A), Battery (0x180F), and HID (0x1812).

To reduce identifiability:

  • Rename the device to something generic
  • Disable Bluetooth when you don't need it (at conferences, in public spaces)

Auditing your watch

Apple Watches and Galaxy Watches both broadcast persistently.

What to look at

  • Name — Apple Watches inherit name from your iPhone (Sarah's Apple Watch). Galaxy Watches default to Galaxy WatchN (XXXX) with a 4-character suffix.
  • Action chip — Apple Watches surface action codes for unlocked / on-wrist / locked state.
  • Linked MACs — watches rotate MACs frequently. Linked-MAC count tells you how many rotations you've observed.

Watches can't really be "fixed" privacy-wise — they're designed for constant connectivity to the paired phone, which requires constant advertising.

Auditing your smart-home devices

Search for [TV], Echo, Nest, LIFX, Hue, etc. Or use the filter chip "Smart Home."

What to look at

  • Friendly name — many smart devices include their model in the name ([TV] Samsung 5 Series (49)). Pre-pairing devices may broadcast the original SKU.
  • Service UUIDs — reveals capability (lights, locks, sensors).
  • Vendor IEs in beacons (for AP-class devices like Nest Hub) — exposes brand even if name is generic.

Smart-home devices are usually designed to be discoverable for setup, so leakage is a feature not a bug. The audit value is knowing what's on the air so you understand your environment.

Auditing your home WiFi router

Switch to the WiFi networks tab. Find your home network.

What to look at

  • Encryption — should be WPA2-Personal at minimum, ideally WPA3-Personal or mixed.
  • MFP — Management-Frame-Protection: WPA3 mandates it. WPA2 networks should at least be MFP-capable. WPA2-Personal with MFP off is an alert.
  • WPS — WPS-PIN is brute-forceable in hours. Disable WPS entirely on your router.
  • BSS Load — number of associated stations. If higher than you expected, someone's using your network.
  • Hidden — hiding the SSID provides no real security (the network leaks itself constantly via management frames). It just makes it slightly more annoying to connect.
  • Country IE — should match your actual country. A misconfigured router with the wrong country may use the wrong channels and power.

To fix issues:

  • WPS-enabled → router admin → disable WPS
  • WEP → router is years out of date; replace it
  • WPA2 only without MFP → upgrade router firmware or replace with WPA3-capable hardware
  • WPA-Personal → check router admin, switch to WPA2-Personal at minimum

Auditing what you broadcast in public

Take the AirLeak with you to a coffee shop, airport, or co-working space. Pause the table on the desktop. Then walk through the space with your devices and watch them appear in the live view.

The exercise is sobering — you can see exactly what radio traces you leave wherever you go. It's a strong motivator to:

  • Rename devices to be less personal
  • Forget unused WiFi networks
  • Turn Bluetooth off when not actively using it
  • Set AirDrop to Contacts-only

A simple privacy checklist

Run AirLeak. For each of your devices, check:

  • Friendly name doesn't reveal your real first name
  • No corporate SSID in probed networks
  • No hotel / airport SSIDs you don't want exposed
  • No "personal" SSID names (Sarah's Hotspot)
  • AirDrop set to Contacts-only (not Everyone)
  • iOS / OS version is current (patch leaks)
  • Home network is at least WPA2-Personal with MFP capable
  • WPS disabled on your router
  • Bluetooth turned off on devices that don't need it on
Most leaks are easily fixed

90 % of personal-privacy leaks are fixed by two settings: renaming devices to non-personal names and forgetting old WiFi networks. Spend 10 minutes on those two and your radio footprint shrinks dramatically.

Command Palette

Search for a command to run...