AirCatch: Effectively tracing advanced tag-based trackers

Tag-based tracking ecosystems help users locate lost items, but can be leveraged for unwanted tracking and stalking. Existing protocol-driven defenses and prior academic solutions largely assume stable identifiers or predictable beaconing. However, identifier-based defenses fundamentally break down against advanced rogue trackers that aggressively rotate identifiers. We present AirCatch, a passive detection system that exploits a physical-layer constraint: while logical identifiers can change arbitrarily fast, the transmitter's analog imprint remains stable and reappears as a compact and persistently occupied region in Carrier Frequency Offset (CFO) feature space. AirCatch advances the state of the art along three axes: (i) a novel, modulation-aware CFO fingerprint that augments packet-level CFO with content-independent CFO components that amplify device distinctiveness; (ii) a new tracking detection algorithm based on high core density and persistence that is robust to contamination and evasion through per-identifier segmentation; and (iii) an ultra-low-cost receiver, an approximately 10 dollar BLE SDR named BlePhasyr, built from commodity components, that makes RF fingerprinting based detection practical in resource-constrained deployments. We evaluate AirCatch across Apple, Google, Tile, and Samsung tag families in multi-hour captures, systematically stress-test evasion using a scenario generator over a grid of transmission and rotation periods, and validate in diverse real-world mobility traces including home and office commutes, public transport, car travel, and airport journeys while sweeping background tag density. Across these stress tests, AirCatch achieves no false positives and early detection over a wide range of adversarial configurations and environments, degrading gracefully only in extreme low-rate regimes that also reduce attacker utility.