Skip to content

ZeroTrace AirLeak

What AirLeak Sees

The full taxonomy of devices and events AirLeak can identify

A reference for what AirLeak captures and classifies. Every device class below is recognized by the firmware and rendered with its own icon and metadata in the desktop app.

Device classes

The classifier emits one of these labels per observed device, with a confidence score (0–100).

Apple ecosystem

ClassWhat it identifies
iphoneiPhone, idle or active
ipadiPad
macbookMac laptop
imacMac desktop
apple_watchApple Watch (any series)
apple_tvApple TV box
homepodHomePod / HomePod mini
apple_vision_proVision Pro
airpodsAirPods (1st / 2nd / 3rd gen)
airpods_pro / airpods_pro_2AirPods Pro
airpods_maxAirPods Max
Beats familyBeatsX, Solo3, Solo Pro, Solo 4, Studio3, Studio Pro, Studio Pro 2, Powerbeats3, Powerbeats Pro, Beats Flex, Beats Pill
airtagAirTag
findmy_accessoryNon-AirTag Find My-network accessory
apple_deviceApple device, form factor not yet pinned

Apple accessories (HID / pencils / cases)

Apple Pencil family, Magic Mouse / Magic Mouse 2 / Magic Mouse USB-C / Magic Mouse 2025, Magic Keyboard variants, Magic Trackpad family, Apple TV Remote, Vision Pro Battery, iPad Smart Folio, Apple Pencil Pro Charger.

Phones

ClassWhat it identifies
samsung_phoneSamsung Galaxy phones (Galaxy S, Note, Z, A series)
pixel_phoneGoogle Pixel / Nexus
android_phoneGeneric Android phones — Xiaomi / Redmi / POCO, OnePlus, OPPO, Realme, vivo, Huawei, Honor, Asus ROG, Nothing Phone, Sony Xperia, Motorola, Tecno, Infinix

PCs

ClassWhat it identifies
windows_pcWindows desktop / laptop (Microsoft Continuity, Swift Pair, Find My Device)
surfaceMicrosoft Surface device
xboxXbox console
linux_pcLinux laptop with BlueZ-style advertisement

Wearables

apple_watch, galaxy_watch, pixel_watch, Garmin watch family, Fitbit family, Polar, Suunto, Coros, Amazfit, Mi Band / Mi Watch, WHOOP, Oura ring, Withings, Eight Sleep, generic smart_watch.

Trackers / item finders

ClassWhat it identifies
airtagApple AirTag
tileTile (Mate, Pro, Slim, Sticker)
samsung_smarttagSamsung SmartTag / SmartTag+ / SmartTag 2 (with separated / moving / owner-nearby state)
google_trackerGoogle Find My Network accessory
chipoloChipolo
pebblebeePebblebee tracker

Audio

ClassWhat it identifies
airpods family(above)
headphonesBose QC / QC Ultra / QC45, JBL, Sennheiser, Jabra Elite / Talk / Evolve, Sony WH / WF (incl. XM5 / XM6), Sony LinkBuds / ULT / Float, Galaxy Buds 3 / Live / FE, Pixel Buds Pro 2, Anker Soundcore, Marshall Major / Minor / Motif, Bowers & Wilkins, Master & Dynamic, AKG, Shure, Nothing Ear / CMF, OPPO Enco, Huawei FreeBuds, OnePlus / Realme / Xiaomi / Redmi Buds, Plantronics / Poly, Audio-Technica, Beats Pill / Solo 4 / Studio Pro 2
bluetooth_speakerBose, Sonos Roam / Move / Era, Beats Pill, Marshall Stockwell / Kilburn / Acton / Stanmore / Woburn, Echo Dot / Show / Studio / Pop / Hub, Nest Audio / Mini / Hub, Google Home

Smart home / IoT

ClassWhat it identifies
iot_sensorGeneric IoT sensors (Tuya, Mijia, SwitchBot, Govee, Sonos, Amazon Sidewalk, …) — chip vendor and product brand recognized for hundreds of OEMs
homekit_lightHomeKit-style smart bulbs: Yeelight, WyzeBulb, Sengled, GE Cync, TP-Link Tapo / Kasa, LIFX, Nanoleaf, Govee, Mi LED, Ledvance
homekit_lockSmart locks: Schlage, Yale, Kwikset, August, Level Lock, Aqara, Eve Lock
homekit_otherOther HomeKit-class accessories
matter_deviceMatter-protocol devices

Other

ClassWhat it identifies
printerBluetooth printers and label printers (HP, Canon, Brother, Epson, Lexmark, Xerox, Ricoh, Kyocera, OKI, Brother HL, Pantum, Star, Bixolon, Citizen, Polaroid, instax, Canon SELPHY, HP Sprocket)
vehicleConnected vehicles (Tesla, VW, BMW, MercedesMe, Honda, Toyota, GM OpenLink, FordPass, MyAudi, Volvo OnCall, Subaru, Hyundai Blue Link, Kia Connect, Lexus, JLR InControl, Polestar, Rivian, Lucid)
fitness_deviceCycling / running / strength sensors and equipment (Garmin Edge, Wahoo TICKR / ELEMNT / KICKR, TACX, Zwift Hub, Concept2, Peloton, Stages, PowerTap, Stryd, Saris, 4iiii, Quarq, Power2Max)
hid_deviceBluetooth keyboards / mice / gamepads (Logitech MX, Razer, Corsair, ROG, Glorious, Keychron, Cherry KW, RealForce)
flipper_zeroFlipper Zero
beaconiBeacon / Eddystone retail beacons with no other class match

Fallbacks

When no specific class can be determined, the classifier emits a less specific label:

  • apple_device — has Apple manufacturer ID but ambiguous subtype
  • microsoft_device — has Microsoft manufacturer ID, ambiguous CDP type
  • wifi_ap_consumer / wifi_ap_enterprise / wifi_ap_isp_router / wifi_ap_mobile_hotspot — for WiFi APs
  • unknown — no signals matched

What gets captured per device

For every device, AirLeak surfaces the following fields whenever they're broadcast:

FieldDescription
Friendly nameThe device's BLE local name or WiFi SSID
MAC / BSSIDCurrent address
VendorOUI lookup or BLE company ID lookup
Class + confidenceClassifier verdict
RSSICurrent and best-seen signal strength
TX powerDevice's transmit power (when broadcast)
Distance estimateComputed from RSSI + TX
Advertising intervalBLE advertising rate
OS major versioniOS major (when broadcast)
Apple action / lock stateLive state: screen on / off, in call, locked / unlocked
Battery levelsAirPods L / R / case, AirTag battery class, headphone battery
Find My stateOwner-nearby vs separated, unwanted-tracking-protection flag
Service UUID listEvery service the device advertises
Appearance codeGAP appearance (phone, watch, headset, etc.)
Probed SSIDsEvery SSID a probing client has asked for
Linked MACsWhen fingerprinting merges multiple MACs into one identity

WiFi network details

For every WiFi network observed, AirLeak captures:

FieldDescription
SSIDNetwork name (or hidden)
BSSIDAccess point MAC
Channel1–13 (2.4 GHz)
GenerationWiFi 4 / 5 / 6 / 7 (when advertised)
EncryptionOPEN / WEP / WPA-Personal / WPA2-Personal / WPA2/3-Mixed / WPA3-Personal / WPA2-Enterprise / WPA3-Enterprise-192 / OWE
AKM suitePSK / SAE / 802.1X / FT-PSK / FT-SAE / OWE / etc.
Group + pairwise ciphersTKIP / CCMP-128 / CCMP-256 / GCMP-128 / GCMP-256
MFPRequired / capable / off
CountryCountry code IE
BSS loadAssociated station count + channel utilization
802.11r / 802.11kFast-roaming / radio-measurement support flags
WPSWPS-PIN / WPS-PBC availability
Beacon intervalBeacon period in TU

Privacy-leak signals

These signals are tracked per-device and feed both the alert engine and the device's leakage assessment:

SignalWhat it indicates
AirDrop discoverableThe device's AirDrop is set to "Everyone" — phone-number / Apple ID hash is broadcast
Find My separatedFind My beacon's full-offline bit is set — accessory is away from owner
Corporate SSID in probeA probe-request for a corporate-naming-pattern SSID
PII SSID in probeA probe-request for a personally-named SSID (Sarah's iPhone, Mom's Hotspot)
Hotel / airport / coffee SSIDA probe-request for a known travel / cafe network
MAC randomizationLocally-administered or RPA address (privacy mode)
Unlocked during callDevice's screen unlocked while audio / call active
Multi-hour followerSame identity observed across ≥3 hour windows
Unwanted-tracking-protectFind My frame's UTP bit set
Open network nearbyUnencrypted WiFi network observed
Deauthentication burst5+ deauth frames in 10 s targeting one client

Event types

The desktop categorizes every captured event into one of these types:

  • WiFi probe-request
  • WiFi beacon
  • WiFi probe-response
  • WiFi association request
  • WiFi reassociation request
  • WiFi deauthentication
  • BLE device seen (generic advertisement)
  • BLE Apple Continuity (any subtype)
  • BLE Find My
  • BLE Tile
  • BLE Samsung SmartTag
  • BLE Google Find My Network (FMDN)
  • BLE Eddystone
  • BLE Microsoft Swift Pair
  • BLE Google Fast Pair

Each event flows live to the desktop with full payload — channel, RSSI, decoded fields, timestamps.

When a field is shown but its underlying capability is unavailable (e.g. "Vendor —" on a randomized MAC) the desktop renders an em-dash instead of guessing.

Command Palette

Search for a command to run...