Every wireless device you own constantly emits radio signals. Not only when you call or browse the Internet \u2014 all the time<\/em>. These transmissions are not encrypted private communications between your device and a cell tower. They are public radio broadcasts, readable by anyone in range who has the right receiver.<\/p>\n\n\n\n And the receivers are cheap. A Nordic Semiconductor BLE sniffer. An RTL-SDR dongle. A Raspberry Pi with a consumer Wi-Fi adapter. All you need is to passively capture the invisible fingerprints your devices spew into the air every second of every day.<\/p>\n\n\n\n This is not theoretical. It is physics. Radio waves travel in all directions. Your phone does not whisper to a single access point \u2014 it calls into a room, a street, a building. And anyone listening can hear it.<\/p>\n\n\n\n When WLAN is enabled on your phone, it does not wait passively for networks to appear. It actively searches for them by sending Probe Requests<\/strong> \u2014 small radio frames that essentially ask: \u201cIs MyHomeNetwork<\/em> here? What about CorporateWiFi<\/em>? How about Hilton_Guest<\/em>?\u201d<\/p>\n\n\n\n Each Probe Request contains an SSID: the name of a network your device has connected to before. Your device runs through its list of preferred networks and sends each name in sequence. That means your phone constantly proclaims:<\/p>\n\n\n\n This is not a side channel or a clever attack. It is how WLAN is designed. The 802.11 specification defines Probe Requests as a standard discovery mechanism. Your phone sends them on multiple channels, unencrypted, for anyone to receive.<\/p>\n\n\n\n A passive receiver captures these probes and sees a device MAC address paired with every SSID it searches for. Over time, a travel diary emerges: This device was at the Marriott in Frankfurt, connected to \u201cGoogleGuest” and had a home network named \u201cMueller_Family_5G”. These are not metadata \u2014 this is a profile.<\/p>\n\n\n\n Bluetooth Low Energy is even more informative than WLAN. Where a WLAN Probe Request reveals a network name, a single BLE Advertisement can reveal a dozen identifying features at once.<\/p>\n\n\n\n Every BLE device sends Advertisements on three dedicated channels (37, 38, and 39) to announce its presence. These Advertisements carry structured data fields that together form a rich, layered fingerprint:<\/p>\n\n\n\n Appearance Values<\/strong> \u2014 A 16-bit code declaring what<\/em> the device is. A phone (Appearance Service UUIDs<\/strong> \u2014 Standardized identifiers that reveal exactly what a device can do. A heart rate monitor advertises UUID Manufacturer-specific data<\/strong> \u2014 A payload that begins with a company identifier assigned by Bluetooth SIG. Apple is Local device names<\/strong> \u2014 Many devices include a human-readable name in their Advertisements. \u201cAirPods Pro.” \u201c[TV] Samsung 65Q80.” \u201cFitbit Charge 5.” \u201cOsmoPocket3-A7F2.” These names appear as plain text in the radio signal.<\/p>\n\n\n\n Google Fast Pair Model IDs<\/strong> \u2014 Android devices using Google\u2019s Fast-Pair protocol broadcast a 3-byte model ID under Service-UUID TX Power Level<\/strong> \u2014 The transmit power reported in the Advertisement, intended for distance estimation. Combined with the received signal strength (RSSI), this not only reveals what<\/em> a device is, but roughly where<\/em> it is located.<\/p>\n\n\n\n Advertising intervals and channel patterns<\/strong> \u2014 The timing between advertisements and the channel sequence (37 \u2192 38 \u2192 39) create a behavioral fingerprint. Different chipsets have different timing precision. Different firmware versions have different interval configurations. Even if everything else is randomized, these physical characteristics remain.<\/p>\n\n\n\n All of this information is continuously broadcast to everyone, with no authentication or encryption. A passive receiver in range \u2014 typically 10 to 100 meters \u2014 captures every field.<\/p>\n\n\n\n Nearly every wireless device you interact with contributes to your radio fingerprint. Here is what different device categories reveal:<\/p>\n\n\n\n The biggest culprits. A typical smartphone simultaneously sends WLAN probe-requests (exposes your network history), BLE advertisements (exposes manufacturer, device type, and service capabilities), and often Google Fast Pair or Apple Handoff data. With WLAN and Bluetooth enabled, a smartphone creates a rich, cross-layer fingerprint that is trivially trackable across locations.<\/p>\n\n\n\n These devices advertise health-related service UUIDs such as heart rate ( Audio devices reveal their function through audio-sink and source service UUIDs. Many high-end earbuds from Sony, Bose, JBL, and Beyerdynamic share the same Airoha chipset, identifiable by a specific 128-bit service UUID ( These create WLAN hotspots for the companion app pairing and broadcast SSIDs like \u201cOsmoPocket3-A7F2″ or \u201cGoProHERO12-1234″. Some also send BLE pairing beacons. A device that should be inconspicuous on a dashboard proclaims its exact product model to anyone in radio range.<\/p>\n\n\n\n Environmental sensors from firms like Ruuvi, Minew, and Laird broadcast temperature, humidity, air pressure, and door\/window status in their BLE advertisement payloads. A passive receiver passing by a building can inventory the smart-home sensors inside \u2014 and read their measurements.<\/p>\n\n\n\n AirTag, Samsung SmartTag and Tile trackers each have distinct protocol signatures. Apple Find My devices use vendor data type All these hex codes and UUIDs may sound cryptic, but their interpretation requires no reverse engineering. The Bluetooth Special Interest Group (SIG) \u2014 the industry body that manages the Bluetooth standard \u2014 publishes comprehensive databases of all assigned numbers as open YAML files in a public repository. Anyone can download them.<\/p>\n\n\n\n Company Identifiers<\/strong> \u2014 The SIG maintains a register of nearly 4,000 company codes. Every manufacturer delivering a Bluetooth product registers a 16-bit identifier. Apple is Service UUIDs<\/strong> \u2014 The SIG defines over 200 standardized 16-bit Service UUIDs. Heart Rate is Appearance Values<\/strong> \u2014 The SIG publishes a structured taxonomy of device categories and subcategories. The top 10 bits of the Appearance value identify the category \u2014 Phone, Computer, Watch, Tag, Keyring, Heart Rate Sensor, Audio Sink, Hearing Aid, Glucose Meter, Domestic Appliance, etc. The lower 6 bits further refine: not just \u201cComputer\u201d, but \u201cLaptop\u201d or \u201cServer-class Computer\u201d. Not just \u201cWearable Audio Device\u201d, but \u201cEarbud\u201d or \u201cHeadset\u201d. A single 16-bit number reveals exactly what kind of device is sending.<\/p>\n\n\n\nWLAN Probe Requests: Your phone sends your network history<\/h2>\n\n\n\n
\n
BLE: A multifaceted fingerprint<\/h2>\n\n\n\n
0xC0<\/code>), a smartwatch (0x00C1<\/code>), a pair of headphones (0x0941<\/code>), a tracking tag. Bluetooth SIG assigns hundreds of these categories. Your device proclaims its type in every Advertisement.<\/p>\n\n\n\n0x180D<\/code>. an audio sink advertises 0x110B<\/code>. A blood pressure monitor advertises 0x1810<\/code>. These are not optional \u2014 devices send them so other Bluetooth devices can recognize their capabilities. But everyone else can see them too.<\/p>\n\n\n\n0x004C<\/code>. Samsung is 0x0078<\/code>. Google is 0x00E0<\/code>. After the company ID follow proprietary data that often encodes device model, firmware version, and status information. This data is sent in clear text.<\/p>\n\n\n\n0xFE2C<\/code>. This is not a category \u2014 it is a specific product identifier. Model ID 0xA1B2C3<\/code> points to exactly one product in Google\u2019s database. In discoverable mode, this ID is transmitted in clear text, so anyone nearby can identify the exact make and model of your headphones, earbuds, or watch.<\/p>\n\n\n\nThe devices that reveal everything<\/h2>\n\n\n\n
Smartphones<\/h3>\n\n\n\n
Smartwatches and Fitness Trackers<\/h3>\n\n\n\n
0x180D<\/code>), running speed (0x1814<\/code>) and environment sensing (0x181A<\/code>). Their Appearance Values identify them as wrist-worn devices. Some transmit sensor data directly in their advertisement payload \u2014 your current heart rate, step count, or activity status, in the clear, readable by anyone.<\/p>\n\n\n\nHeadphones and Earbuds<\/h3>\n\n\n\n
5052494D-2DAB-0341-6972-6F6861424C45<\/code>). This means a passive receiver can not only identify \u201cheadphones\u201d but also the exact chipset family, narrowing the product down to a handful of models.<\/p>\n\n\n\nDashcams and Action Cameras<\/h3>\n\n\n\n
Smart Home Devices<\/h3>\n\n\n\n
Tracking Tags<\/h3>\n\n\n\n
0x12<\/code> with a rotating 22-byte public key. Samsung SmartTags use vendor ID 0x0078<\/code> with a characteristic 0x20<\/code>-frame pattern. Tile uses its own service UUID. Each protocol is immediately recognizable to a passive observer.<\/p>\n\n\n\nThe Bluetooth SIG: A public decoding key<\/h2>\n\n\n\n
0x004C<\/code>. Samsung is 0x0078<\/code>. Airoha Technology is 0x00CC<\/code>. Ericsson is 0x0000<\/code>. When your device sends manufacturer-specific data, the first two bytes are a company code that directly points to a name in this public list. There is no ambiguity and no decryption needed \u2014 just a table lookup.<\/p>\n\n\n\n0x180D<\/code>. Blood Pressure is 0x1810<\/code>. Environmental Sensing is 0x181A<\/code>. Fitness Machine is 0x1826<\/code>. Insulin Delivery is 0x183A<\/code>. Each UUID has a defined meaning, a defined data format, and a published specification. When a device advertises a Service UUID, it declares its exact function in a standard industry vocabulary that anyone can read.<\/p>\n\n\n\n