Tag-based tracking ecosystems help users locate lost items, but can be leveraged for unwanted tracking and stalking. Existing protocol-driven defenses and prior academic solutions largely assume stable identifiers or predictable beaconing. However, identifier-based defenses fundamentally break down against advanced rogue trackers that aggressively rotate identifiers. We present AirCatch, a passive detection system that exploits a physical-layer constraint: while logical identifiers can change arbitrarily fast, the transmitter's analog imprint remains stable and reappears as a compact and persistently occupied region in Carrier Frequency Offset (CFO) feature space. AirCatch advances the state of the art along three axes: (i) a novel, modulation-aware CFO fingerprint that augments packet-level CFO with content-independent CFO components that amplify device distinctiveness; (ii) a new tracking detection algorithm based on high core density and persistence that is robust to contamination and evasion through per-identifier segmentation; and (iii) an ultra-low-cost receiver, an approximately 10 dollar BLE SDR named BlePhasyr, built from commodity components, that makes RF fingerprinting based detection practical in resource-constrained deployments. We evaluate AirCatch across Apple, Google, Tile, and Samsung tag families in multi-hour captures, systematically stress-test evasion using a scenario generator over a grid of transmission and rotation periods, and validate in diverse real-world mobility traces including home and office commutes, public transport, car travel, and airport journeys while sweeping background tag density. Across these stress tests, AirCatch achieves no false positives and early detection over a wide range of adversarial configurations and environments, degrading gracefully only in extreme low-rate regimes that also reduce attacker utility.

翻译：基于标签的跟踪生态系统可帮助用户定位遗失物品，但也可被滥用于非自愿跟踪与尾随。现有的协议驱动防御方案及先前的学术研究大多假设标识符稳定或信标模式可预测。然而，针对频繁轮换标识符的高级恶意跟踪器，基于标识符的防御机制从根本上失效。本文提出AirCatch——一种被动检测系统，其利用物理层约束：虽然逻辑标识符可任意快速变更，但发射器的模拟特征保持稳定，并在载波频率偏移（CFO）特征空间中呈现为紧凑且持续占据的区域。AirCatch在三个维度推进了现有技术：（i）一种新颖的、调制感知的CFO指纹，通过增强与内容无关的CFO分量来强化设备区分度，从而扩展了数据包级CFO特征；（ii）基于高核心密度与持久性的新型跟踪检测算法，通过按标识符分段处理，对污染与规避行为具有鲁棒性；（iii）一种超低成本接收器（名为BlePhasyr，约10美元的BLE软件定义无线电），由商用组件构建，使得基于射频指纹识别的检测在资源受限场景中具备实用性。我们在多小时采集数据中对Apple、Google、Tile及三星标签系列进行评估，通过场景生成器在传输与轮换周期网格上系统化压力测试规避策略，并在涵盖家庭与办公室通勤、公共交通、汽车出行及机场行程的多样化真实移动轨迹中验证系统性能，同时扫描背景标签密度。在所有压力测试中，AirCatch在广泛的对抗配置与环境条件下实现了零误报与早期检测，仅在极端低速率场景（此类场景亦会降低攻击者效用）中性能逐步下降。