This work addresses the challenge of illicit tracking via sophisticated tag trackers that evade detection by frequently rotating logical identifiers. To counter this, the authors propose AirCatch, a passive detection system leveraging physical-layer radio-frequency fingerprints. AirCatch exploits the stable carrier frequency offset (CFO) signatures inherent to transmitters and enhances device discriminability through modulation-aware CFO fingerprinting. It further introduces a contamination-resilient clustering algorithm based on high core density and persistence. Complementing the system, the authors develop BlePhasyr, an ultra-low-cost BLE software-defined radio receiver built from commodity hardware. Experimental results demonstrate that AirCatch achieves zero false positives and enables early detection across diverse device brands, realistic mobility scenarios, and high-intensity adversarial tests, with only marginal performance degradation under extreme conditions such as very low transmission rates that inherently diminish attack effectiveness.

Tag-based tracking ecosystems help users locate lost items, but can be leveraged for unwanted tracking and stalking. Existing protocol-driven defenses and prior academic solutions largely assume stable identifiers or predictable beaconing. However, identifier-based defenses fundamentally break down against advanced rogue trackers that aggressively rotate identifiers. We present AirCatch, a passive detection system that exploits a physical-layer constraint: while logical identifiers can change arbitrarily fast, the transmitter's analog imprint remains stable and reappears as a compact and persistently occupied region in Carrier Frequency Offset (CFO) feature space. AirCatch advances the state of the art along three axes: (i) a novel, modulation-aware CFO fingerprint that augments packet-level CFO with content-independent CFO components that amplify device distinctiveness; (ii) a new tracking detection algorithm based on high core density and persistence that is robust to contamination and evasion through per-identifier segmentation; and (iii) an ultra-low-cost receiver, an approximately 10 dollar BLE SDR named BlePhasyr, built from commodity components, that makes RF fingerprinting based detection practical in resource-constrained deployments. We evaluate AirCatch across Apple, Google, Tile, and Samsung tag families in multi-hour captures, systematically stress-test evasion using a scenario generator over a grid of transmission and rotation periods, and validate in diverse real-world mobility traces including home and office commutes, public transport, car travel, and airport journeys while sweeping background tag density. Across these stress tests, AirCatch achieves no false positives and early detection over a wide range of adversarial configurations and environments, degrading gracefully only in extreme low-rate regimes that also reduce attacker utility.