Camera Detection · Volume 1
CameraDetection Volume 1 — Overview & the Hidden-Camera Landscape
Threat model · emission-class taxonomy · buy-vs-build decision tree · depth index into Vols 2–15
1.1 About this volume
This is the overview volume of a fifteen-volume engineer-grade deep dive on finding hidden surveillance cameras — the complete counter-surveillance reference and a build-ready DIY detector design.
The series has two arcs. The find-them arc (Vols 1–6, 9–12) covers detection physics, per-emission-class deep dives, commercial-detector and open-source surveys, and the room-sweep methodology. The build-the-finder arc (Vols 7–8) presents three build-ready DIY detector designs (from scratch, fork an existing project, Raspberry Pi sniffer) plus a decision guide. Posture and synthesis close the series (Vols 13–15).
Provenance note. This series is authored spec- and survey-sourced from public material — vendor pages, ONVIF/RTSP standards, the IEEE OUI database, research papers, and open-source repositories. Real-world detection-range and timing claims (for commercial detectors and for the DIY device) are marked spec-sourced pending bench verification, which follows once the device is built and a commercial detector is in hand for comparison.
Posture: defensive counter-surveillance throughout. This topic is finding cameras hidden by someone else — Airbnb hosts, stalkers, voyeurs. The framing is squarely defensive. The few offensive-adjacent techniques documented here (deauth-confirm, demodulating a found analog stream to view its video) are gated to consenting-environment use and cross-referenced to _shared/legal_ethics.md wherever they appear.
Find-vs-make asymmetry. The AirTags deep dive covers both making custom Find My beacons and finding unwanted trackers — roughly a 50/50 split. This deep dive is overwhelmingly find-side: building the detector is the DIY arc (Vols 7–8), but even there, the device’s purpose is to locate cameras someone else installed. There is no “make a covert camera” arc; for the offensive side, see the Hacker Tradecraft deep dive.
Visual content note. Hardware photos are marked with FIGURE SLOT placeholders for a later Photo Helper pass. The ASCII diagrams, tables, and decision trees throughout carry the visual load in the interim.
[FIGURE SLOT — Vol 1, § 1] Hero shot: a covert camera concealed inside a common domestic object — a smoke detector, USB wall-charger, or alarm clock — showing how completely the device blends into its surroundings at conversational distance. Source: Photo Helper search “hidden spy camera smoke detector lens” — or vendor product page. Caption when filled: “Figure 1.1 — A covert camera concealed in a domestic smoke detector. The lens aperture (< 3 mm) is near-invisible at conversational distance. Photo: File:Name.jpg by
. .“
1.2 The threat model
1.2.1 Who hides cameras
Hidden cameras are placed by several distinct actor classes, each with a different risk profile, placement logic, and camera-class preference:
Table 1 — Hidden cameras are placed by several distinct actor classes, each with a different risk profile, placement logic, and camera-class preference
| Threat actor | Primary motive | Typical placement context | Preferred camera class | Risk frequency |
|---|---|---|---|---|
| Vacation-rental host | Voyeurism; sometimes claimed “security” | Airbnb, VRBO, holiday cottages — living rooms, bedrooms, bathrooms | Wi-Fi/IP (cloud-monitored; easy live view via phone app) | Low–medium; documented incidents every year^[Multiple FTC and state AG actions against hosts 2018–2024; Airbnb community reports aggregated by security researchers.] |
| Hotel / motel staff or maintenance | Voyeurism | Alarm clocks, TV sets, wall art, sprinkler heads | Wi-Fi/IP or analog wireless | Rare but documented; harder to place than rental scenario |
| Stalker / domestic abuser | Surveillance, control | Home of victim — changing areas, bedrooms | Wi-Fi/IP (home-network-connected) or cellular/4G (SIM-connected, no victim Wi-Fi needed) | Underreported; reported to law enforcement more often than Airbnb incidents |
| Employer (contested legality) | Productivity, theft-prevention | Office spaces, break rooms | Wired IP (on corporate NVR) | Legal if disclosed; covert placement is jurisdiction-dependent |
| Illicit recording for distribution | Financial (voyeur content) | Fitting rooms, restrooms, gym changing areas | Analog wireless (quick in/out with portable transmitter + receiver) or SD-only (no radio; battery + SD) | Very low absolute frequency; high harm when it occurs |
The most commonly reported scenario — and the most tractable to sweep — is the short-term vacation rental context: a host installs a Wi-Fi/IP camera, typically connected to the property’s own Wi-Fi, and monitors it via a phone app (TP-Link Tapo, Wyze, Blink, Eufy, Hikvision iVMS, etc.). These cameras are RF-emitting, network-joined, and fully visible to a thorough Wi-Fi scan. Vol 5 covers this case in detail.
The hardest cases are SD-only cameras (no radio; records to a local microSD card, retrieved physically) and cellular-connected cameras (SIM card, no dependency on the local Wi-Fi network). Both are invisible to any Wi-Fi or RF scan; see §7.1.
1.2.2 Attacker-defender asymmetry
The single most important structural fact about this problem:
The attacker chooses placement time and position at leisure; the defender sweeps a cold room under time pressure, often without prior knowledge of what was installed.
Breaking this down:
- Placement time: An Airbnb host has 24–72 hours between guest check-outs to place and test a device. A sweeper checking in has 10–30 minutes before the vacation starts.
- Placement position: The attacker can place the camera in the optimal position for the lens’s field of view, then verify coverage from the viewer app. The sweeper must cover every plausible surface in the room.
- Device knowledge: The attacker knows exactly what device was installed, where the lens is, and what angle it covers. The sweeper does not know the device class (Wi-Fi/analog/SD-only), mounting location, or even whether any device was placed.
- Counter-surveillance awareness: A careful attacker can choose non-emitting SD-only devices specifically to defeat RF-based sweepers. The defender must assume worst case and use non-RF methods too (optics, thermal, physical) to reach an honest answer.
┌──────────────────────────────────────────────────────────────────────┐
│ ATTACKER / DEFENDER ASYMMETRY │
├──────────────────────────┬───────────────────────────────────────────┤
│ ATTACKER │ DEFENDER │
├──────────────────────────┼───────────────────────────────────────────┤
│ Picks 1 hiding spot │ Must cover ALL plausible spots │
│ at leisure (24–72 h) → │ under time pressure (10–30 min) │
├──────────────────────────┼───────────────────────────────────────────┤
│ Picks 1 emission class │ Must cover ALL modalities │
│ (Wi-Fi / SD-only / …) → │ RF + optical + thermal + physical │
├──────────────────────────┼───────────────────────────────────────────┤
│ Verifies coverage via │ Doesn't know device class, mount point, │
│ viewer app │ or whether any camera is even present │
├──────────────────────────┼───────────────────────────────────────────┤
│ Work: O(1) │ Work: O(spots × modalities), time-limited │
└──────────────────────────┴───────────────────────────────────────────┘
Attacker's winning move → choose SD-only (defeats every RF method)This asymmetry is why “a Wi-Fi scan is enough” is a dangerous oversimplification. The attacker can trivially choose a device the Wi-Fi scan misses. A defensible sweep layers multiple modalities — see the room-sweep playbook in Vol 12.
1.2.3 Realistic threat calibration
Not every short-term rental has a covert camera. Not every hotel room has one. The base rate is low enough that paranoia without evidence is unhelpful — but the risk is real enough that a systematic sweep is warranted, especially in contexts where a victim would have no way of knowing without looking.
Calibration guidelines:
- High-warrant sweep: bedroom, bathroom, or changing area of any short-term rental; a hotel room where you have reason for elevated concern; a workplace where you suspect covert monitoring.
- Medium-warrant sweep: common areas of a rental property; offices; any space where you have a specific tip or suspicion.
- Low-warrant sweep (basic phone scan only): casual social visit, transit areas, restaurants.
The deep dive is calibrated to the high-warrant sweep scenario: a thorough, layered search of a private space. The field version in Vol 12 §4 covers the 10-minute quick pass for travelers.
1.3 Where cameras hide
Covert cameras must balance lens coverage against concealment. The concealments that have appeared in documented incidents and teardowns cluster around a predictable set of objects:
Table 2 — Covert cameras must balance lens coverage against concealment. The concealments that have appeared in documented incidents and teardowns cluster around a predictable set of objects
| Hiding spot | Why it works | Typical camera class | Best detection modality |
|---|---|---|---|
| Smoke detector (ceiling/wall) | Ubiquitous; ceiling position = wide-angle coverage; cavity accepts full camera module | Wi-Fi/IP or wired | OUI/ONVIF scan; optical lens glint from floor angle |
| USB wall charger / “AC adapter” | Always-on mains power; “forgettable” accessory in any room; cavity large enough for ESP32-class module | Wi-Fi/IP | OUI/ONVIF scan; lens glint; check for an unused USB port |
| Alarm clock / bedside clock | Power available; occupant unlikely to move or dismantle; pointed at bed | Wi-Fi/IP or analog | OUI/ONVIF scan; lens glint at eye level |
| Picture frame / wall art | Flat, wall-mounted; lens hides behind one-way mirror material or small pinhole | SD-only or analog | Optical lens glint (red/IR finder); physical inspection |
| Air purifier / fan | Large cavity; always-on power; placed in bedroom or living room for coverage | Wi-Fi/IP | OUI/ONVIF scan; lens glint |
| Screw or bolt (pinhole) | Near-zero visual signature; installed in wall or furniture | SD-only | Optical lens glint; physical inspection with light source |
| AC vent / wall vent | Good vantage point; seldom inspected; power from adjacent wiring possible | Analog or wired | Optical lens glint; RF sweep for analog carrier |
| Smoke alarm + CO detector combo | Dual-purpose legitimacy; large cavity; ceiling mount | Wi-Fi/IP | OUI/ONVIF scan; lens glint from ceiling mount |
| TV set-top box / streaming stick | Always powered; HDMI bus provides power; less obvious in TV-facing rooms | Wi-Fi/IP | OUI/ONVIF scan; check for unexpected network client |
| Plush toy / decorative object | Soft cavity accepts camera module; non-threatening appearance | Wi-Fi/IP | OUI/ONVIF scan; lens glint; weight/battery check |
| Door peephole (reversed) | Installed in door facing inward instead of outward | Wired or SD-only | Optical inspection; one-way glass tester |
| Motion sensor / PIR housing | Cover story is detection of other things; cavity purpose-built | Wi-Fi/IP or wired | OUI/ONVIF scan; IR-LED spotting (many use IR illumination) |
| Ventilation grille (bathroom) | Seldom inspected; direct line of sight to shower/changing area | SD-only, analog, or cellular | Optical lens glint; RF sweep; physical inspection |
| Electrical outlet (wall) fake | Flush with wall; always-on power; pinhole lens near-invisible | Wired or Wi-Fi | Lens glint; thermal (powered sensor runs warm); outlet inspection |
Physical inspection discipline: every object in a bedroom or bathroom that is not your own property and that has an unobstructed line of sight to a sensitive area deserves attention. The hiding-spot list above is not exhaustive — the creativity of placement only improves with device miniaturization. The lens-glint technique (§4.5 of the emission-class taxonomy; full coverage in Vol 4 §5) finds cameras in objects not on any list, because it exploits a physical property of every camera lens.
1.4 The emission-class taxonomy
The emission class of a camera is the most important variable in detection. It determines which instruments can detect it, which modalities are capable versus blind, and which volumes in this series apply. There are five classes.
┌────────────────────────────────────────────────────────────────────┐
│ Hidden Camera │
│ (the threat object) │
└──────────────────────────────┬─────────────────────────────────────┘
│
┌────────────────┴────────────────┐
│ │
┌──────────▼──────────┐ ┌───────────▼────────────┐
│ RF-emitting │ │ Non-emitting │
│ (radio-active; │ │ (RF-silent — radio │
│ RF methods apply) │ │ methods are BLIND) │
└──────────┬──────────┘ └───────────┬────────────┘
│ │
┌──────────┼────────────┬──────┐ ┌────────┴────────────┐
│ │ │ │ │ │
┌──▼───┐ ┌───▼────┐ ┌────▼─┐ ┌──▼──┐ ┌─▼──────┐ ┌──────────▼────┐
│Wi-Fi │ │Analog │ │Cell. │ │ BT │ │SD-only │ │ Wired to │
│ /IP │ │wireless│ │ /4G │ │/BLE │ │ "dumb" │ │ NVR/DVR │
│ │ │1.2/2.4/│ │(LTE) │ │cam │ │(local │ │ (coax/Cat5/ │
│ │ │5.8 GHz │ │ │ │ │ │storage)│ │ PoE cable) │
└──────┘ └────────┘ └──────┘ └─────┘ └────────┘ └───────────────┘
← Wi-Fi scan covers → ← optics / NLJD / thermal only →
← spectrum sweep covers (analog) →
← RSSI-walk / traffic-rate apply → ← RF instruments are blind here →The critical split is emitting vs non-emitting. Every RF-based detector — Wi-Fi scanner, broadband RF bug detector, spectrum analyzer, SDR — is completely blind to the non-emitting classes. Only optics, thermal, NLJD, X-ray, or physical search work there.
1.4.1 Wi-Fi and IP cameras
How it leaks: The camera joins a Wi-Fi network (either the host’s, its own AP, or a dedicated hidden-SSID network) and streams or stores video via a cloud relay. Leaks include:
- Beacon frames / probe responses visible in promiscuous mode — the MAC address is directly readable
- DHCP requests, mDNS/Bonjour announcements, SSDP/UPnP advertisements, ONVIF WS-Discovery Hello frames
- RTSP video stream (TCP/554 or a high port), accessible on the local network if no firewall
- Cloud relay heartbeat and uplink traffic — uplink bitrate tracks motion in front of the lens when the camera uses variable-bitrate (VBR) encoding (the most robust detection tell — see Vol 3 §5)
Primary detection methods: vendor-OUI fingerprinting of the MAC address; mDNS/ONVIF discovery scanning; RTSP port probe; traffic-rate/motion-correlation on observed uplink flows; RSSI-walk to physically locate the transmitter.
What defeats detection: MAC address randomization (though most cameras do not randomize, unlike modern smartphones); generic Wi-Fi module with no camera-vendor OUI (e.g., bare ESP32 module); camera on an isolated VLAN or its own AP with a hidden SSID (radio still visible in promiscuous scan even if SSID is hidden); no local network join at all (purely cellular cloud connection).
Vol 3 (Wi-Fi network analysis physics) and Vol 5 (Wi-Fi/IP camera deep dive) cover this class in full.
1.4.2 Analog wireless cameras
How it leaks: Analog wireless cameras transmit a continuous FM-modulated composite video (NTSC or PAL baseband) on one of three license-exempt bands: 1.2 GHz (1,180–1,220 MHz, rare in consumer gear), 2.4 GHz (2,400–2,483.5 MHz), or 5.8 GHz (5,725–5,875 MHz). The signal is always-on when the camera is powered: a fixed carrier at a specific channel, unencrypted, continuously broadcasting the video signal.
Primary detection methods: spectrum sweep (SDR or HackRF one / RTL-SDR) to find the carrier; demodulate the FM-video signal to see what the camera sees — the most unambiguous possible confirmation. A broadband RF bug detector (diode power-detector class) will also trigger on an analog camera’s carrier if within a few meters.
What defeats detection: cameras that power off between triggered recording sessions (rare but possible with PIR triggering); interference masking on the 2.4 GHz ISM band from Wi-Fi and Bluetooth (crowded spectrum makes low-power analog carriers harder to spot without a sweep).
Vol 2 (RF & spectrum physics) and Vol 6 (non-Wi-Fi deep dive) cover this class. The full demod-to-see-video technique is in Vol 6 §2.
1.4.3 Cellular and 4G cameras
How it leaks: A cellular camera embeds a SIM card (nano-SIM or embedded eSIM) and connects to the carrier’s LTE or 4G network for cloud streaming, bypassing any local Wi-Fi entirely. RF emissions are in licensed LTE bands (Band 2/4/12/17 in North America; country-specific elsewhere), typically in bursts during motion-triggered upload events rather than continuous transmission.
Primary detection methods: This is the genuinely hard case. Licensed-band LTE bursts are short, encrypted at the air interface, and indistinguishable from ordinary phone traffic without advanced equipment. Practical options:
- An LTE-capable spectrum analyzer can identify anomalous LTE uplink bursts at unusual power levels in an otherwise quiet room
- The Rayhunter project (EFF’s IMSI catcher detector, documented in the Rayhunter deep dive) takes a related but distinct approach — cellular protocol anomaly detection — but is aimed at detecting IMSI catchers, not hidden cameras
- Physical/optical methods are more practical for cellular cameras specifically
What defeats detection: Everything. Licensed-band operation + burst mode + end-to-end encryption means RF methods are near-useless here. Physical inspection and optical lens glint are the primary detection paths for cellular cameras.
Vol 6 §3 covers the cellular camera detection problem honestly and without false promises.
1.4.4 Bluetooth cameras
How it leaks: Some covert cameras — particularly lower-cost units — use Bluetooth LE (BLE) as the configuration and streaming link. BLE advertising packets are broadcast continuously when the device is in pairing/advertising mode; once paired to a controller device (a phone), some continue to advertise. Stream data may go over BT Classic (IEEE 802.15.1) or BLE throughput modes.
Primary detection methods: BLE active scan on all 40 BLE channels; filter advertised names and manufacturer-specific data for camera-related strings; Nyan Box and ESP32 Marauder both expose BLE scan results. Bluetooth cameras are rare in the threat model (BT range is short, throughput is limited for video, and Wi-Fi is universally preferred for cloud-connected cameras).
What defeats detection: BLE advertising suppressed after pairing (common); BT Classic used for streaming rather than BLE (requires active scan on Classic channels too); range below the BLE scan threshold.
1.4.5 Non-emitting cameras
How it leaks: It doesn’t — these cameras produce no RF emission of any kind. They are completely invisible to every radio-frequency method: Wi-Fi scanners, broadband RF bug detectors, spectrum analyzers, SDRs, and even licensed-band receivers. The two sub-types are:
- SD-only “dumb” cameras: record to a local microSD or USB flash drive; no radio hardware; retrieved physically by the person who planted them. Power comes from a concealed LiPo or from mains via a disguised power supply (the USB-charger form factor is ideal).
- Wired cameras: transmit video over a physical cable — coaxial (for analog composite), Cat5/Cat6 (for IP cameras over PoE), or proprietary cable — to a recording DVR/NVR, typically in a less-visible location. No wireless emission at any point in the signal path.
What defeats RF detection: everything. There is no RF to detect.
What can still detect them:
- Optical lens retroreflection: every camera lens — regardless of whether the camera has electronics or is even powered on — retroreflects an IR or red light source back at the viewer. A dedicated lens-finder (SpyFinder Pro, SF-103F) or a phone with IR illumination can catch this.^[The physics: the lens acts as a corner retroreflector due to the concave-convex element structure. Even a pinhole aperture returns a distinctive glint when illuminated coaxially with the viewer’s eye.]
- IR-emitter spotting: cameras equipped with 850 nm or 940 nm IR LEDs for night vision emit radiation visible through a phone camera’s CMOS sensor (which lacks the IR-cut filter present on the main camera in some orientations). Works only when the IR LEDs are powered and active.
- Thermal imaging: powered electronics (even SD-only cameras) generate heat that a FLIR-class imager can detect — especially the image sensor and voltage regulator. Defeated by insulation or low-power design.
- NLJD (non-linear junction detection): semiconductor junctions in any electronic device produce harmonic responses to an RF excitation signal — even when the device is completely powered off. The REI ORION is the industry reference instrument. This is the method for powered-off non-emitting cameras.
- Physical search: the always-applicable baseline.
Warning — the most dangerous gap in any sweep: A defender who relies only on RF/Wi-Fi methods and declares “nothing found” has not ruled out non-emitting cameras. This gap must be communicated explicitly. The three honest constraints in §7 restate this prominently.
Full coverage of non-emitting camera detection methods is in Vol 4 (the power-state capability matrix and per-method deep dives). The wired-specific track — cable tracing, TDR, find-the-recorder, PoE/LAN scan, PLC powerline-carrier detection — is in Vol 6 §5.
Emission-class comparison table — the load-bearing reference for the rest of the series:
Table 3 — Emission-class comparison table — the load-bearing reference for the rest of the series
| Class | How it leaks | Primary detection method | Secondary method | What defeats detection |
|---|---|---|---|---|
| Wi-Fi/IP | Beacons, DHCP, ONVIF, RTSP, uplink traffic | OUI fingerprint + ONVIF/mDNS scan + traffic-rate | RSSI-walk to locate | MAC randomization; isolated AP/VLAN; purely cellular |
| Analog wireless 1.2 GHz | Continuous FM-video carrier, 1,180–1,220 MHz | Spectrum sweep + FM-video demod | Broadband RF bug detector (close range) | Camera off between sessions; spectrum congestion |
| Analog wireless 2.4 GHz | Continuous FM-video carrier, 2,400–2,483.5 MHz | Spectrum sweep + FM-video demod | Broadband RF bug detector | Dense 2.4 GHz ISM band noise; camera off |
| Analog wireless 5.8 GHz | Continuous FM-video carrier, 5,725–5,875 MHz | Spectrum sweep + FM-video demod | Broadband RF bug detector | Camera off; 5 GHz requires wideband SDR |
| Cellular/4G | LTE burst uplink on licensed bands | Spectrum anomaly (advanced); physical/optical | RF burst detector (marginal) | Everything — licensed bands, burst mode, E2E encryption |
| Bluetooth/BLE | BLE advertising packets | BLE active scan, filter by name/manufacturer data | Nyan Box / Marauder BLE scan | Pairing completes (advertising stops); BT Classic |
| SD-only (non-emitting) | Nothing | Optical lens retroreflection; NLJD | Thermal; physical | RF methods entirely; thermal if insulated/low-power |
| Wired (non-emitting) | Nothing (RF); signal on cable only | Optical lens glint; cable trace/TDR; physical | PoE/LAN scan if IP; PLC carrier if coax | RF methods entirely |
1.5 The buy-vs-build decision tree
Three paths exist: (1) buy an off-the-shelf detector, (2) adapt owned Hack Tools gear, (3) build a purpose-built device from scratch or by forking an existing design. The right choice depends on the threat model, what gear is already owned, and budget. The tree below walks the decision.
┌───────────────────────────────────────────────────────────────────┐
│ CAMERA DETECTOR: BUY · ADAPT · BUILD? │
└──────────────────────────────┬────────────────────────────────────┘
│
┌──────────▼──────────┐
│ Primary threat: │
│ which emission │
│ class(es)? │
└──┬──────────┬────┬──┘
│ │ │
Wi-Fi/IP Analog Non-emitting
cams only or all or "I don't
│ classes know"
│ │ │
┌────────▼───────┐ │ ┌────▼────────────┐
│ Own Nyan Box │ │ │ Optical lens │
│ or Marauder │ │ │ finder needed │
│ module? │ │ │ regardless │
└───┬────────┬───┘ │ └──────────────────┘
│YES │NO │
│ │ │
┌──────▼──┐ ┌──▼──────────────────────────────┐
│ Adapt │ │ Build DIY (Vols 7–8) or │
│ owned │ │ buy a dedicated Wi-Fi scanner │
│ gear │ │ (Vol 9 survey) │
│(Vol 11) │ └──────────────────────────────────┘
└─────────┘ │
│ + Analog RF needed?
│
┌──────────────▼───────────────┐
│ Own HackRF One / RTL-SDR? │
└───────────┬──────────┬────────┘
│YES │NO
│ │
┌──────▼──┐ ┌────▼─────────────┐
│ Analog │ │ Budget < $200? │
│ sweep │ └──┬───────────┬───┘
│(Vol 6) │ │YES │NO
└─────────┘ │ │
┌─────▼──┐ ┌──────▼──────┐
│ Buy │ │ Add SDR to │
│ cheap │ │ build (RTL- │
│ RF │ │ SDR ~$30) │
│ sweeper│ │ Vol 7 §7 │
│+ lens │ └─────────────┘
│finder │
│(Vol 9) │
└────────┘Summary of the three paths:
Table 4 — Summary of the three paths:
| Path | Best for | Coverage | Budget range | Covered in |
|---|---|---|---|---|
| Adapt owned gear | Already own Nyan Box, Marauder, HackRF, phone | Wi-Fi/IP + analog (if HackRF owned); not non-emitting | $0 marginal (already owned) | Vol 11 |
| Buy off-the-shelf | Quick traveler sweep; no build interest | RF-emitting + lens finder covers optics; no traffic-rate correlation | $30–$500 (cheap sweeper) to $15k+ (NLJD) | Vol 9 |
| Build from scratch | Deep coverage of all classes + RSSI-walk + traffic-rate; long-term use | Wi-Fi/IP (full) + optional analog (RF front end) + optical add-on (lens finder ring) | $50–$200 for parts | Vols 7–8 |
The combination that covers the most ground for least cost: a purpose-built ESP32-S3 device (Vol 7) or a Marauder fork (Vol 8) for Wi-Fi/IP detection + a $30–$50 SpyFinder-class lens finder for optics. Add the HackRF One or RTL-SDR (if already owned) for analog wireless coverage. Nothing in any budget covers cellular cameras reliably; physical/optical is the fallback.
1.6 Depth index into Vols 2-15
One row per volume — what question it answers and where the key anchors live.
Table 5 — 6. Depth index into Vols 2-15
| Vol | Topic | Key question answered | Stable anchors to cite |
|---|---|---|---|
| 2 | Detection physics I — RF & spectrum | How do broadband RF bug detectors work? Why can’t a $30 “anti-spy” device catch everything? | #2-broadband-rf-bug-detectors, #5-what-rf-cannot-catch |
| 3 | Detection physics II — Wi-Fi network analysis | How does OUI fingerprinting work? What is traffic-rate/motion-correlation and why is it the robust tell? | #2-vendor-oui-fingerprinting, #5-traffic-rate-motion-correlation |
| 4 | Detection physics III — finding non-emitting cameras | Which method works for a camera that is powered + recording vs standby vs fully off? | #4-the-power-state-capability-matrix, #5-optical-lens-retroreflection |
| 5 | Wi-Fi / IP camera deep dive | How do IP cameras announce and behave on a network? How do you walk to a detected camera using RSSI? | #2-how-ip-cameras-announce-and-behave, #5-walking-to-a-detected-camera |
| 6 | Non-Wi-Fi camera deep dive | How do you find and demodulate an analog wireless camera? What about wired cameras? | #2-analog-wireless-sweep-and-demod, #5-the-wired-specific-track |
| 7 | Build from scratch — ESP32-S3 design | How do you build a Wi-Fi camera detector from an ESP32-S3? Full BOM, firmware design, OUI DB | #2-architecture, #3-bom, #4-firmware-pipeline |
| 8 | Build from existing designs + Pi path | When should you fork Marauder or Nyan Box vs build from scratch vs use a Raspberry Pi sniffer? | #2-forking-esp32-marauder, #5-fork-vs-scratch-vs-pi-decision-guide |
| 9 | Commercial detectors — survey | What do commercial RF sweepers, lens finders, thermal cameras, and phone apps actually catch? | #2-cheap-rf-sweepers, #8-the-what-it-actually-catches-matrix |
| 10 | DIY & open-source — survey | Which open-source repos are fork-worthy? What do the research implementations actually do? | #4-github-detector-repos, #6-fork-worthiness-matrix |
| 11 | Add-ons to existing Hack Tools gear | Can the Nyan Box / Marauder / HackRF / phone I already own be turned into a camera finder? | #2-nyan-box-native, #7-capability-and-limit-table |
| 12 | Sweep methodology | What is the room-sweep playbook? What order do modalities go in and why? | #2-the-room-sweep-playbook, #3-the-modality-order |
| 13 | Operational posture, legal & ethics | What are the legal and ethical limits of the techniques documented here? | #2-the-defensive-framing, #3-the-find-vs-make-line |
| 14 | Comparisons & decision guide | Which detector should I buy for my specific threat? Buy vs build final answer? | #2-buy-vs-build, #3-which-detector-for-which-threat |
| 15 | Cheatsheet — laminate-ready field cards | What is the sweep order? OUI quick-list? Lens-glint technique? What RF can’t catch? | #2-the-sweep-order-card, #7-what-rf-cannot-catch |
Cross-series connections: the Nyan Box deep dive Vol 7 documents hidden-camera detection as one feature among 40+; this series is the dedicated, device-first counterpart. The AirTags deep dive covers the find-the-tracker problem with a different instrument set (BLE, UWB, Find My network); both are counter-surveillance topics in the same hub. The HackRF One deep dive and RTL-SDR deep dive are the primary references for the spectrum-sweep techniques used in Vol 2 and Vol 6 of this series.
1.7 The three honest constraints
These three constraints are not caveats to bury in footnotes. They are load-bearing facts that determine whether any given detection tool or technique can catch any given camera. They are stated here in Vol 1 and restated in every volume where they apply.
1.7.1 Non-emitting cameras are RF-invisible
Constraint #1: Non-emitting cameras — SD-only and wired — produce no radio-frequency emission of any kind. Every RF method (Wi-Fi scan, broadband RF bug detector, spectrum analyzer, SDR sweep) is completely blind to them. A sweep that uses only RF methods and returns clean cannot rule out a non-emitting camera.
The implication for any detector device — commercial or DIY:
- A Wi-Fi scanner that finds every Hikvision and Wyze camera on the local network tells you nothing about whether a non-emitting device is also present.
- A $30 “anti-spy” RF bug detector that stays quiet tells you there are no strong RF emitters nearby, not that there are no cameras.
- A DIY ESP32 device running OUI fingerprinting + traffic-rate analysis is blind to the same class.
The only methods that cross this gap:
Table 6 — The only methods that cross this gap
| Method | Works when camera is powered? | Works when camera is OFF? | Notes |
|---|---|---|---|
| Optical lens retroreflection | Yes | Yes (lens is passive) | Every lens, regardless of electronics |
| IR-emitter spotting | Yes (only if IR LEDs are active) | No | Requires 850/940 nm illumination and phone camera |
| NLJD (REI ORION class) | Yes | Yes | Semiconductor junctions respond even when powered off |
| Thermal imaging | Yes (powered electronics run warm) | No | Defeated by insulation, low-power design, ambient heat |
| X-ray / backscatter | Yes | Yes | Specialist gear ($20k+); definitive |
| Physical search | Yes | Yes | Always applicable; always the confirmation step |
Full depth on each method, with reliability ratings and false-positive profiles, is in Vol 4 — specifically the power-state capability matrix at Vol 4 §4.
The practical implication for a sweep: a defensible sweep that claims to rule out cameras must include at least one non-RF non-emitting-capable method. At minimum: an optical lens finder (sweep every surface with a red-ring or IR-ring finder), IR-LED spotting in darkness (point a phone at any object with a clear lens), and physical inspection of plausible hiding spots. NLJD is the definitive non-emitting method but costs $10k+; it is the appropriate standard for a professional TSCM sweep.
1.7.2 Wi-Fi detection is fingerprint-and-behavior, not magic
Constraint #2: Detecting a Wi-Fi camera is not as simple as running a network scan and reading a “CAMERA FOUND” banner. Detection depends on two layers — fingerprinting (what the MAC address or ONVIF probe response tells you) and behavior (how the traffic flow pattern changes with motion). Both layers have failure modes. The traffic-rate/motion-correlation technique is the most robust but still requires the camera to be transmitting at the moment of the test.
The fingerprinting layer — vendor OUI matching — is fragile in several ways:
- MAC address randomization: modern devices randomize their MAC during scanning. Most cameras do not randomize once associated, but some generic ESP32-based cameras may.
- Generic Wi-Fi module OUIs: a white-label camera built on an Espressif, Realtek, or MediaTek Wi-Fi chipset will present the chipmaker’s OUI, not a camera-vendor OUI. An OUI match to
EC:FA:BC(Espressif) tells you there is an ESP32-based device; it does not tell you it is a camera. - White-label / grey-market cameras: cameras sold under dozens of brand names share the same firmware and same OUI. No OUI database is complete.
The discovery layer — mDNS/ONVIF probing — is defeated by:
- A camera configured to disable mDNS and ONVIF discovery (common on hardened installations)
- A camera on a different subnet or isolated VLAN (no mDNS/SSDP traffic crosses subnet boundaries without a relay)
- A camera not on your network at all (on the host’s network, hidden SSID, or cellular-only)
The traffic-rate/motion-correlation technique is the most robust:^[Academic lineage: Cheng et al., “Your Wifi Is Watching You,” and subsequent flow/timing analysis work; the technique exploits the variable-bitrate encoder’s uplink spike when the scene in front of the lens changes — frame complexity drives bitrate on H.264/H.265 VBR streams. See Vol 3 §5 for full treatment.]
- Works even when the camera’s MAC is not in any OUI database
- Works even when ONVIF discovery is disabled
- Works even for off-network cameras whose radio you can see in promiscuous mode, because the uplink bitrate envelope is visible in the encrypted air-interface frame stream
- Fails if the camera is not transmitting (motion detection off; no motion in front of lens; standby mode)
- Fails for SD-only cameras (no uplink traffic)
The practical implication: do not stop at an OUI scan. Always apply traffic-rate correlation (induce motion, watch the uplink flow spike) as a second pass. Vol 3 explains the mechanics and Vol 5 operationalizes the technique for the Wi-Fi/IP class.
1.7.3 Analog and cellular need different radios
Constraint #3: Wi-Fi scanning gear and analog-wireless-camera detection gear are completely different tool classes. An ESP32-based Wi-Fi scanner is blind to 1.2 GHz and 5.8 GHz analog cameras. A spectrum sweep with HackRF One or RTL-SDR is required for analog cameras. Cellular/4G cameras require licensed-band monitoring and are the hardest class regardless of gear.
Concrete implications:
- Analog cameras at 1.2 GHz: outside the 2.4 GHz ISM band entirely; an ESP32 Wi-Fi scan and most broadband RF bug detectors are insensitive here. An RTL-SDR with the right tuner (R820T2 covers 24–1,766 MHz) or a HackRF One (1 MHz – 6 GHz) is required. The 1.2 GHz band is less common in North America due to near-overlap with GPS L1 (1,575.42 MHz) but is used in some older imported devices.
- Analog cameras at 2.4 GHz: the band is shared with Wi-Fi and Bluetooth; an ESP32 sees the Wi-Fi MAC-layer traffic but not the analog FM-video carrier beneath it. A spectrum sweep revealing an FM-modulated carrier (not a 20/40 MHz 802.11 channel) is the tell.
- Analog cameras at 5.8 GHz: outside the ESP32 module’s capabilities entirely. An RTL-SDR with an R820T2 tuner maxes out at ~1.7 GHz (with a significant gap before the internal harmonic kicks in); a HackRF One covers the 5.8 GHz band cleanly. This band is common in battery-powered analog cameras (longer range than 2.4 GHz at similar power).
- Cellular/4G cameras: LTE operates in licensed bands (Band 2 = 1,850–1,910 MHz uplink in North America; Band 4 = 1,710–1,755 MHz; Band 12/17 = 700 MHz). Detection requires monitoring those specific bands for anomalous uplink bursts, and the signal is encrypted and bursty. Practical cellular camera detection relies on physical and optical methods; the Rayhunter deep dive is adjacent but targets cellular network anomalies rather than camera detection.
Note: The demodulation payoff for analog cameras is substantial — once you find a carrier, you can demodulate the FM-video stream and see exactly what the camera sees. This unambiguous confirmation is the reason analog sweep is worth doing even though analog cameras are less common than Wi-Fi ones. Full technique in Vol 6 §2, including GNU Radio and
gqrxdemod steps.
1.8 Resources
Standards and databases
- ONVIF (Open Network Video Interface Forum) —
https://www.onvif.org/— ONVIF Profile S and Profile T define the discovery (WS-Discovery), streaming (RTSP/RTMP), and control interfaces used by IP cameras. The WS-Discovery Probe/Hello mechanism is the primary network-layer detection hook covered in Vol 3 §3. - IEEE OUI / MAC Vendor Database —
https://standards-oui.ieee.org/— the authoritative OUI-to-vendor mapping. Updated regularly; download a fresh copy before building or refreshing the OUI fingerprint database covered in Vol 7 §5.
Academic research (cited in later volumes)
- LAPD — Sami, Tan, Sun, Han, “LAPD: Hidden Spy Camera Detection using Smartphone ToF,” ACM SenSys 2021. ToF sensor + deep learning lens retroreflection detection; 88.9% detection rate, 16.7% FP rate at short range. Research prototype, not a shipping product. Full treatment in Vol 4 §5.
- CamRadar — Liu, Lin, Wang, Shen, Ba, Lu, Xu, Ren, ACM IMWUT 6(4), 2022, DOI 10.1145/3569505. Scene-modulated clock emanation detection; 93.23% detection rate, 3.95% FP rate. Requires SDR receiver within ~1 m. Research, not turnkey. Vol 4 §8.
- EM Eye — Long, Jiang, Yan, Alam, Ji, Xu, Fu, NDSS 2024. Video reconstruction from incidental camera EM leakage using USRP B210 or RTL-SDR; demonstrated at 30 cm to several meters in controlled conditions. Research, not turnkey. Vol 4 §8.
- HeatDeCam — Yu, Li, Chang, Fong, Liu, Zhang, ACM CCS 2022. FLIR ONE + ML thermal classification; >95% accuracy on the authors’ dataset. Defeated by thermal insulation, low-power designs, nearby warm electronics. Public dataset available. Vol 4 §9.
Commercial tools referenced in later volumes
- SpyFinder Pro (SF-103P) — the reference consumer lens finder; IR LED ring + coaxial viewer. ~$100. Vol 4 §5, Vol 9 §5.
- REI ORION 2.4 HX / 900 HX — professional NLJD (~$15,000 USD, spec-sourced). The industry reference for non-emitting camera detection via semiconductor-junction harmonic response. Vol 4 §7, Vol 9 §4.
- FLIR ONE / FLIR E series — thermal cameras for HeatDeCam-style powered-electronics detection. Vol 4 §9, Vol 9 §6.
- Fing (iOS/Android) — network scanner; the quickest way to see all Wi-Fi clients and their MAC vendors on a joined network. Vol 9 §7, Vol 12.
Open-source and hub tools
- ESP32 Marauder firmware — Wi-Fi promiscuous scan + OUI matching base; fork seed for the Vol 8 device design. The ESP32 Marauder Firmware deep dive covers the firmware in depth.
- Nyan Box — native hidden-camera detection feature with 20+ brand fingerprint database. The Nyan Box deep dive Vol 7 covers the fingerprint database and sweep methodology.
- HackRF One / RTL-SDR — the spectrum-sweep and analog-camera demodulation tools. See the HackRF One deep dive for the GNU Radio and
gqrxworkflow. - Rayhunter — EFF’s cellular protocol anomaly detector on a Verizon Orbic hotspot. Adjacent to cellular camera detection; see the Rayhunter deep dive for scope and limits.
Legal and ethics
_shared/legal_ethics.md— the hub-wide rules that apply to all techniques documented here. The counter-surveillance framing of this series is squarely defensive; the few offensive-adjacent techniques (deauth-confirm, analog-stream demodulation) are gated to consenting-environment use and cross-referenced to this document in Vols 3, 6, and 13.
This is Volume 1 of a fifteen-volume series. Next: Vol 2 walks the detection physics of broadband RF bug detectors and spectrum sweeps — how a diode/log-amp power detector works, what the FM-video carrier of an analog camera looks like on a waterfall display, and why RF instruments cannot catch non-emitting cameras regardless of claimed sensitivity.