ZeroTrace AirLeak
Tracker Detection
Finding AirTags, Tile, SmartTag, and other unwanted trackers near you
One of AirLeak's most useful jobs: surfacing the small Bluetooth trackers around you. These devices broadcast continuously when separated from their owner, which is exactly what makes them findable — and exactly what makes them potentially abusable when used to follow someone.
What AirLeak can detect
| Tracker | How AirLeak sees it |
|---|---|
| Apple AirTag | Find My advertisements (separated state, public-key prefix) |
| Apple Find My-network accessory | Same protocol as AirTag, different vendor (Eve, Belkin, etc.) |
| Tile (Mate / Pro / Slim / Sticker) | Tile-specific Service UUID |
| Samsung SmartTag / SmartTag+ / SmartTag 2 | Samsung BLE advertisement with state byte |
| Google Find My Network accessory | FMDN (Eddystone-style) advertisement |
| Pebblebee | Vendor-specific Service UUID |
| Chipolo | Vendor name patterns |
| Generic unknown trackers | Tracker-class fallback when shape matches |
Each tracker class gets its own icon and class label in the device list.
Doing a one-off tracker sweep
The fastest privacy check. Takes about 2 minutes.
- Connect the AirLeak and switch to Monitor.
- Wait 60 seconds for the radios to populate the device list.
- Open Devices → BLE devices.
- Click the filter dropdown → Trackers.
You now have a clean list of every tracker in range. Some will be yours (the AirTag on your keys). Some may be strangers' — left in a public place, in a car park, in a hotel. Most are harmless.
What to look at for each:
- Name — sometimes a friendly name reveals a lot
- Class — AirTag vs Tile vs SmartTag tells you the ecosystem
- Signal — strong signal = close to you, weak = far
- First seen — recent first-seen + persistent observation = it's been near you a while
Click any row to open its detail page for the full picture.
Catching a tracker that's following you
This is the scenario AirLeak was specifically built for. The multi_hour_follower alert fires when a tracker has been near you for more than 3 hours.
The workflow:
-
Run AirLeak in Monitor mode while you go about your day. Take it on errands, commutes, meetings.
-
Check Alerts periodically. A
multi_hour_followeralert means a tracker has been with you for a long time. Look at the alert's device — is it familiar? -
If unfamiliar, investigate further. Click the tracker, open its detail page. The Linked MACs section will show every MAC observed (trackers rotate their MAC); the first-seen timestamp tells you how long.
-
Locate the device physically. Modern AirTags can be made to play a sound via the iOS / Android Find My app, even by non-owners. Use that to find it.
-
Document the encounter. The session export contains everything you need for a report (timestamps, MACs, fingerprint, observation count).
-
If serious, contact authorities. Local police can subpoena Apple / Tile / Samsung for the tracker owner's identity.
Distinguishing yours from theirs
The most common false alarm is your own AirTag. To suppress it:
- Open the tracker's detail page.
- Click Mark as own in the header.
The desktop now flags this device as yours and excludes it from multi_hour_follower scoring. The next time you carry your own AirTag with you all day, the alert won't fire.
You can also add a note like "AirTag on keys" so future sessions remember.
What separated mode tells you
A tracker in "separated from owner" mode is broadcasting more aggressively than a tracker that's near its owner — typically every 2 seconds vs every 30+ seconds.
In the device detail you'll see:
findmy_separatedalert fired- Adv interval ~2000 ms (not the longer idle interval)
- The Find My state byte indicating separated mode
Persistent separated mode for many hours means the tracker has been away from its owner for that whole time. That's the situation that triggers multi_hour_follower.
A tracker fluctuating between separated and near-owner suggests its owner is moving in and out of range — they're nearby but maybe in a different room.
Common false positives
| Scenario | What you see | Why it's not a stalker |
|---|---|---|
| AirTag forgotten in a public place | Persistent separated mode | The owner lost it, not you. Walk away — the alert won't follow. |
| Neighbor's AirTag through the wall | Steady RSSI, doesn't move with you | It's static; you're moving past it. |
| AirTag in your car when you're not driving | Mostly separated | It's tagged to your vehicle; mark as own. |
| Conference / co-working space trackers | Multiple trackers, all separated | High-density public spaces have lots of forgotten trackers. |
The diagnostic question: does the tracker move with you? Capture in two locations and check if the same fingerprint appears in both. If yes, it's following. If only one, it's stationary.
What about Apple's built-in detection?
Modern iPhones detect AirTags following you through iOS's "Items Found Moving With You" feature. AirLeak's detection is complementary, not replacement:
| AirLeak | iOS built-in |
|---|---|
| Detects AirTag, Tile, SmartTag, FMDN | AirTag and Find My accessories only |
| Detects within 3 hours | Detects within ~8 hours |
| Logs forensic detail (MACs, RSSIs, timestamps) | Just an alert |
| Works without an Apple ID | Requires iPhone, Apple ID |
| Catches trackers that haven't broken into separated mode yet | Only after they hit separated state |
For Tile and SmartTag, AirLeak is one of the only tools available to consumers.
Reading the tracker's broadcast in detail
Open a tracker's device detail page. The Identifiers section shows the tracker's:
- Fingerprint (stable across MAC rotation)
- Public-key prefix (for AirTags / Find My accessories)
- Vendor / Service UUID
Combined with the Linked MACs history, this gives you proof: same tracker, multiple MACs, observed across multiple time windows.
A single multi_hour_follower alert is rarely a stalker. Forgotten trackers in public places are common. If the alert fires, walk to a different location and come back. If the same tracker reappears wherever you go, that's when to act.