ZeroTrace AirLeak
What AirLeak Sees
The devices and BLE signals AirLeak can identify
A reference for what AirLeak captures and classifies. Every device class below is recognized by the firmware and rendered with its own icon and metadata in the mobile app.
AirLeak is a passive Bluetooth Low Energy listener. It does not capture WiFi. Everything on this page is derived from BLE advertisements and scan responses.
Device classes
The classifier emits one of these labels per observed device, with a confidence score (0–100). These are the labels the firmware's classifier actually produces (src/enrichment/device_class.h).
Apple ecosystem
| Class | What it identifies |
|---|---|
iphone | iPhone |
ipad | iPad |
macbook | Mac laptop |
apple_watch | Apple Watch (any series) |
apple_tv | Apple TV box |
homepod | HomePod / HomePod mini |
airpods | AirPods family (incl. Pro / Max and Beats variants, with battery + lid state when broadcast) |
airtag | Apple AirTag |
apple_device | Apple device, form factor not yet pinned |
Phones
| Class | What it identifies |
|---|---|
samsung_phone | Samsung Galaxy phones |
pixel_phone | Google Pixel |
android_phone | Generic / other Android phones |
PCs / TVs
| Class | What it identifies |
|---|---|
windows_pc | Windows desktop / laptop (Microsoft Continuity / Swift Pair) |
smart_tv | Smart TVs |
Wearables
apple_watch, plus a generic smart_watch class for non-Apple watches and bands.
Trackers / item finders
| Class | What it identifies |
|---|---|
airtag | Apple AirTag (Find My) |
tile | Tile |
samsung_smarttag | Samsung SmartTag (with separated / moving / owner-nearby state when broadcast) |
google_tracker | Google Find My Network (FMDN) accessory |
Audio
| Class | What it identifies |
|---|---|
airpods | (above) |
headphones | Bluetooth headphones / earbuds |
bluetooth_speaker | Bluetooth speakers and smart speakers |
Smart home / IoT
| Class | What it identifies |
|---|---|
iot_sensor | Generic IoT sensors |
homekit_light | HomeKit-style smart bulbs |
homekit_lock | Smart locks |
homekit_sensor | HomeKit-class sensors |
homekit_other | Other HomeKit-class accessories |
matter_device | Matter-protocol devices |
Other
| Class | What it identifies |
|---|---|
printer | Bluetooth printers |
vehicle | Connected vehicles |
fitness_device | Cycling / running / strength sensors and equipment |
hid_device | Bluetooth keyboards / mice / gamepads |
flipper_zero | Flipper Zero |
beacon | iBeacon / Eddystone beacons with no other class match |
Fallbacks
When no specific class can be determined, the classifier emits a less specific label:
apple_device, has an Apple manufacturer ID but ambiguous subtypegeneric_ble, a recognized BLE device with no class matchunknown, no signals matched
What gets captured per device
For every device, AirLeak surfaces the following fields whenever they're broadcast (see DeviceRecord in src/enrichment/device_aggregator.h):
| Field | Description |
|---|---|
| BLE name | The device's BLE local name (from advertisement or scan response) |
| MAC | Current address, with a random/locally-administered flag |
| Vendor | OUI / BLE company-ID lookup |
| Company ID | Bluetooth SIG company identifier |
| Class + confidence | Classifier verdict |
| RSSI | Last, best, min/max, and a smoothed EMA |
| TX power | Device's transmit power (when broadcast) |
| Distance estimate | Computed from RSSI + measured power |
| Advertising interval / rate | BLE advertising cadence |
| Apple model | Decoded Apple model string (when present) |
| Apple action / lock state | Last Continuity Nearby Info action; locked / unlocked |
| iOS major | iOS major version (when broadcast) |
| AirPods battery | L / R / case percentages + per-pod charging + lid state |
| Find My state | Separated-from-owner, unwanted-tracking-protection (UTP) flag, public-key prefix, battery level |
| AirDrop state | Discoverable ("Everyone"), with phone-number / Apple ID hash prefixes |
| Handoff sequence | Apple Continuity handoff sequence number |
| Service UUID list | Up to 8 advertised service UUIDs |
| Appearance code | GAP appearance (phone, watch, headset, etc.) |
| Fingerprint | Stable hash used to track a device across MAC rotation |
| Leakage score | 0–100 combined privacy-exposure score |
Event types
The firmware tags each decoded advertisement with one or more BLE event types (src/types/airleak_types.h):
- BLE device seen (generic advertisement)
- BLE Apple Continuity (any subtype)
- BLE Tile
- BLE Find My
- BLE Microsoft Swift Pair
- BLE Google Fast Pair
- BLE Eddystone
- BLE Samsung SmartTag
- BLE Google Find My Network (FMDN)
Each observation updates the device's aggregated record, which streams to the app as a coalesced delta.
When a field is shown but its underlying value hasn't been observed (e.g. no name on a randomized MAC), the app renders an em-dash instead of guessing.