---

15.1 About this card set

This is Volume 15 — the final volume of the CameraDetection deep dive. It is a pure synthesis: every card condenses a full source volume into a laminate-and-carry field reference. The complete detection sequence (Vol 12), the power-state capability matrix (Vol 4), the camera-vendor OUI quick-list (Vols 3 and 5), the lens-glint and IR-emitter step procedures (Vols 4 and 11), the phone-app shortlist (Vol 11), the RF-constraint reminder (Vols 1 and 4), and a working glossary covering every technical term in the series.

Each card stands alone. For the physics and full rationale, return to the originating volume cited in each card header. All quantitative claims are spec-sourced where marked; detection-range values pending bench verification.

---

⚠ WARNING — Legal and ethical posture (carry with every sweep):

All detection methods here are oriented toward defensive counter-surveillance in a space you occupy and are authorized to inspect — your hotel room, an Airbnb bathroom, a changing room. Sweeping a space you do not occupy is illegal in most jurisdictions. Offensive-adjacent steps — deauth-confirm, WFM demodulation of a found carrier, RF capture of others’ traffic — require explicit authorization. Full posture statement: ../../_shared/legal_ethics.md.

---

15.2 The sweep-order card

Condensed from Vol 12 §2–§4. Sequencing principle: broad and fast first; narrow and slow last; definitive last of all.

═══════════════════════════════════════════════════════════════════
          SEVEN-STAGE ROOM-SWEEP — FIELD FLOWCHART
═══════════════════════════════════════════════════════════════════

  ╔══════════════════════════════════════╗
  ║  STAGE 0: ENTRY AND PREPARATION      ║  3–10 min · $0
  ║  □ Sketch room layout                ║
  ║  □ Photo all smoke detectors         ║
  ║  □ Photo all USB wall chargers       ║
  ║  □ Count picture frames facing bed   ║
  ║  □ Note any new / out-of-place object║
  ║  □ Check Wi-Fi SSID list before      ║
  ║    joining any network               ║
  ╚════════════════╤═════════════════════╝
                   │
                   ▼
  ╔══════════════════════════════════════╗
  ║  STAGE 1: BROADBAND RF SWEEP         ║  5–15 min · $20–$500+
  ║  □ HackRF + osmocom_fft sweep 1.2 / ║
  ║    2.4 / 5.8 GHz for persistent FM  ║
  ║    carrier (K18 broadband fallback)  ║
  ║  ON HIT → WFM demod confirm;         ║
  ║            RSSI walk to source       ║
  ╚════════════════╤═════════════════════╝
                   │
                   ▼
  ╔══════════════════════════════════════╗
  ║  STAGE 2: WI-FI NETWORK SCAN         ║  5–15 min · $0–$180
  ║  □ Sub-A: Fing on room Wi-Fi (OUI + ║
  ║    mDNS / ONVIF / Services)          ║
  ║  □ Sub-B: AWOK Marauder scanap /     ║
  ║    scansta — off-net radio visible   ║
  ║  □ Sub-C: tshark traffic-rate /      ║
  ║    motion-correlation confirm        ║
  ║  ON HIT → RSSI walk; probe RTSP 554 ║
  ╚════════════════╤═════════════════════╝
                   │
                   ▼
  ╔══════════════════════════════════════╗
  ║  STAGE 3: OPTICAL LENS               ║  10–20 min · $0–$148
  ║  RETROREFLECTION                     ║
  ║  ★ Works on POWERED-OFF cameras ★   ║
  ║  □ Dim room                          ║
  ║  □ SpyFinder Pro SF-103P sweep in   ║
  ║    slow horizontal strips, top-down  ║
  ║  □ Second pass from different angle  ║
  ║  □ Mark every glint; inspect ALL     ║
  ╚════════════════╤═════════════════════╝
                   │
                   ▼
  ╔══════════════════════════════════════╗
  ║  STAGE 4: IR-EMITTER SPOTTING        ║  3–5 min · $0
  ║  □ Verify front cam IR sensitivity   ║
  ║    (TV remote test first)            ║
  ║  □ Full darkness; front cam video    ║
  ║  □ Sweep for white/purple LED glow   ║
  ║  ON HIT → physical inspect           ║
  ╚════════════════╤═════════════════════╝
                   │
                   ▼
  ╔══════════════════════════════════════╗
  ║  STAGE 5: THERMAL TRIAGE             ║  5–10 min · $199–$400
  ║  □ FLIR ONE Gen 3 or Pro sweep       ║
  ║  □ Flag warm anomalies inconsistent  ║
  ║    with expected object state        ║
  ║    (powered cam: +5–15 °C, spec)     ║
  ║  ON HIT → cross with Stage 3;        ║
  ║            physical inspect          ║
  ╚════════════════╤═════════════════════╝
                   │
                   ▼
  ╔══════════════════════════════════════╗
  ║  STAGE 6: NLJD (PROFESSIONAL)        ║  15–30 min · ~$10k–$20k (spec-sourced)
  ║  ★ Works on POWERED-OFF cameras ★   ║
  ║  □ REI ORION 2.4 HX + 900 HX        ║
  ║  □ Skilled operator required         ║
  ║  □ 2nd/3rd harmonic ratio check      ║
  ║  □ Tap test for PIM discrimination   ║
  ║  ON HIT → ratio + tap + inspect      ║
  ╚════════════════╤═════════════════════╝
                   │
                   ▼
  ╔══════════════════════════════════════╗
  ║  STAGE 7: PHYSICAL SEARCH            ║  Varies · $50–$2k
  ║  + BORESCOPE                         ║
  ║  □ Clear ALL flags from Stages 1–6  ║
  ║  □ Systematic baseline: smoke dets,  ║
  ║    USB chargers, clocks, pic frames, ║
  ║    vents, decorative objects         ║
  ║  □ Borescope closed/recessed spaces  ║
  ║  □ Cable trace for wired-cam track   ║
  ╚════════════════╤═════════════════════╝
                   │
                   ▼
  ╔══════════════════════════════════════╗
  ║  SWEEP COMPLETE                      ║
  ║  "Clean sweep" ≠ "no camera."        ║
  ║  State stages done + gaps remaining  ║
  ║  (e.g., no NLJD available).          ║
  ╚══════════════════════════════════════╝
───────────────────────────────────────────────────────────────────
Coverage:
  Stage 1 → Analog wireless cams (1.2/2.4/5.8 GHz FM-video)
  Stage 2 → Wi-Fi/IP cams (on-net + off-net radio + traffic-rate)
  Stage 3 → ALL cam classes in ALL power states (lens optics)
  Stage 4 → Powered cams with active 850/940 nm IR LEDs
  Stage 5 → Powered cams generating heat
  Stage 6 → Powered-OFF cams with semiconductors (pro only)
  Stage 7 → Everything instruments missed; all anomaly confirms
───────────────────────────────────────────────────────────────────

15.2.1 Stage-order quick reference

Source: Vol 12 §3.2

Table 1 — 2.1 Stage-order quick reference

Stage	Catches (camera class)	Does NOT catch	Budget	Skilled?	Time
0: Prep	Baseline only	—	$0	No	3–10 min
1: RF sweep	Analog wireless 1.2/2.4/5.8 GHz FM-video	ALL non-emitting; 802.11; cellular	$20–$500+	No (K18); basic (HackRF)	5–15 min
2: Network scan	Wi-Fi/IP cams — on-net OUI/mDNS + off-net radio + traffic-rate	ALL non-emitting; analog wireless; cellular	$0–$180	No	5–15 min
3: Optical lens	ANY cam in ANY power state — powered-OFF lens detectable	Deeply obscured/recessed lenses; angles missed	$0–$148	No (discipline req.)	10–20 min
4: IR-emitter	Powered cams with active 850/940 nm IR LEDs	No-IR cams; standby (IR off); powered-off	$0	No	3–5 min
5: Thermal	Powered cams generating heat above NETD threshold	Powered-OFF cams; insulated cams; low-power	$199–$400	No	5–10 min
6: NLJD	Semiconductor junctions in ANY power state — powered-OFF detectable	PIM/rusty-bolt (ratio + tap test required); thick shielding	~$10k–$20k (spec-sourced)	Yes — essential	15–30 min
7: Physical	Everything instruments missed; all anomaly confirmations	Only what operator physically skips	$50–$2,000	No	Varies

15.2.2 What each stage rules in and out

Source: Vol 12 §3.3

Table 2 — 2.2 What each stage rules in and out

Stages completed	Definitively ruled out	What remains open
Stage 1 clean	Actively transmitting analog wireless cams at scan time	ALL non-emitting; Wi-Fi; cellular; cams not transmitting
Stages 1–2 clean	Above + transmitting Wi-Fi cams on/near property network	ALL non-emitting; cams not transmitting at scan time
Stages 1–3 clean	Above + cams with exposed lenses at sweep angles/distances covered	Deeply recessed/obscured lenses; angles missed
Stages 1–5 clean	Above + powered cams above thermal detection threshold	Powered-OFF cams; insulated cams; below NETD threshold
Stages 1–6 clean (NLJD)	Above + cams with semiconductor junctions reachable by NLJD probe	Cams behind thick shielding; probe positions not reached
Stages 1–7 clean	Maximum defensible claim: no cam found by any method	Cams physically missed; stated limitations in sweep report

The honest ceiling: A clean sweep through all seven stages represents the most defensible counter-surveillance technique available to a civilian or professional TSCM operator. It is not 100%. State this limitation in every sweep conclusion.

15.2.3 Phone-only 10-minute field sweep

Source: Vol 12 §4.2. Covers naively installed on-network Wi-Fi cams, IR-equipped cams in darkness, and large-aperture lenses at close range. Does NOT cover analog wireless, SD-only cams at > 1–2 m, off-network MAC-randomized cams, cellular, wired, or powered-off cams.

┌─────────────────────────────────────────────────────────────────┐
│             PHONE-ONLY 10-MINUTE FIELD SWEEP CARD               │
├───────┬────────────────────────────────────┬────────────────────┤
│ Min   │ Action                              │ Tool / App         │
├───────┼────────────────────────────────────┼────────────────────┤
│ 0–2   │ Join room Wi-Fi → Fing →           │ Fing (free;        │
│       │ Scan Network. Flag camera-brand     │ iOS/Android)       │
│       │ OUIs. Check Services for           │                    │
│       │ _rtsp._tcp or _onvif._tcp entries. │                    │
├───────┼────────────────────────────────────┼────────────────────┤
│ 2–3   │ Phone Wi-Fi settings: view AP list. │ Phone Settings     │
│       │ Flag camera-like SSIDs or hidden   │ → Wi-Fi            │
│       │ SSIDs at unusual RSSI for room.    │                    │
├───────┼────────────────────────────────────┼────────────────────┤
│ 3–6   │ Physical inspection: smoke dets     │ Eyes + phone torch │
│       │ (extra lens hole?), USB chargers   │                    │
│       │ (all four faces), alarm clocks,    │                    │
│       │ picture frames facing bed/shower,  │                    │
│       │ any new/out-of-context object.     │                    │
├───────┼────────────────────────────────────┼────────────────────┤
│ 6–8   │ All lights off → front cam video   │ Phone front camera │
│       │ mode → sweep all high-risk objects  │ (no app required)  │
│       │ for white/purple IR glow.          │                    │
├───────┼────────────────────────────────────┼────────────────────┤
│ 8–10  │ Lights on: phone at eye level with  │ Glint Finder app   │
│       │ rear flash facing room. Walk to    │ (Android) or phone │
│       │ within 1 m of each suspect surface. │ flash + front cam  │
│       │ Inspect every retroreflective glint.│                    │
└───────┴────────────────────────────────────┴────────────────────┘

---

15.3 The power-state capability matrix card

Condensed from Vol 4 §4. The organizing artifact for the entire series. Three power states: Powered + capturing (active, IR LEDs on); Powered / standby (on but idle, IR off); Fully OFF (no current — only passive physical properties remain). Only three methods catch a fully powered-off camera: optical retroreflection, NLJD, and X-ray/backscatter.

Table 3 — 3. The power-state capability matrix card

Method	Powered + capturing	Powered / standby	Fully OFF	Cost range	Honest reliability
Optical lens retroreflection (SpyFinder Pro SF-103P)	✅	✅	✅	$30–$400	Most universal. Power-state agnostic (lens is passive optical element). False-positive-heavy — every glint physically inspected. Spec-sourced range; bench verify.
IR-emitter spotting (850/940 nm LEDs via phone front cam)	✅ (IR LEDs must be active)	— (LEDs off in standby)	❌	Free	Reliable for IR-equipped cams in darkness. Misses: no-IR cams, standby, fully-off cams. Zero-cost triage.
NLJD (REI ORION 2.4 HX / 900 HX)	✅	✅	✅	~$10k–$20k (spec-sourced)	The powered-off method. Detects every semiconductor junction regardless of power state. 2nd/3rd harmonic ratio + tap-test rejects PIM false positives. Skilled-operator-dependent.
Incidental EMI side-channel (CamRadar IMWUT’22; EM Eye NDSS’24)	✅	Clock only (weak)	❌	$30–$2,000+ SDR	Research proof-of-concept. ~93% in CamRadar’s controlled lab; SNR/clutter-limited in real rooms. Not turnkey; not a shipping product.
Thermal imaging (HeatDeCam CCS’22; FLIR ONE)	✅ (device warmed up)	Marginal (less heat)	❌	$150–$400 FLIR ONE	Fast broad-area triage. Defeated by insulation, low-power sensors, nearby warm electronics, powered-off cams. HeatDeCam >95% in lab (research, not shipping product).
Acoustic (IR-cut filter click; coil whine)	✅ (at light transitions)	Maybe	❌	Free	Niche corroboration cue only. Only cameras with electromechanical IR-cut filters at moment of transition. Not a sweep method.
AC magnetometer (oscillator field; Lockhart class)	✅	✅ (if oscillator running)	❌	$1,000–$5,000	Detects AC magnetic field from running oscillators. Corroborator at close range only; false-positive-heavy in occupied room.
DC magnetometer (ferrous components; permanent magnets)	✅	✅	Partial (ferrous only)	~Free (phone compass)	Low standalone value. Corroborating cue only. Very short range (~5 cm).
X-ray / backscatter (Viken class)	✅	✅	✅	$20,000–$100,000+ (spec-sourced)	Definitive on enclosed objects, walls, luggage. Specialist operator + radiation safety + licensing. Professional TSCM only.
Borescope / physical search	✅	✅	✅	$50–$2,000	Universal confirmation step. Converts every anomaly to a confirmed find or confirmed false positive. Not triage — it is the conclusion of a sweep.

⚠ CRITICAL — only THREE methods catch a fully powered-off camera:

Optical lens retroreflection (SpyFinder Pro / SF-103P) · NLJD (REI ORION) · X-ray/backscatter

Every other method — IR-emitter spotting, thermal, EMI side-channel, acoustic, magnetometer — requires the camera to be powered. An adversary who powers down devices before a sweep renders thermal and EMI methods blind. Stages 3 and 6 are where the powered-off camera is caught.

15.3.1 Suspected state → best method

Source: Vol 4 §3 reader’s map

Table 4 — 3.1 Suspected state → best method

Suspected camera state	First choice	Second choice	Definitive confirmation
Unknown / any	Optical retroreflection (Stage 3) — works in all states	NLJD (Stage 6) if budget allows	Physical / borescope (Stage 7)
Powered and recording	Thermal triage (Stage 5) — fast, broad	IR-emitter spotting (Stage 4) if night-vision likely	Optical + physical confirm
Powered, standby	Optical retroreflection (Stage 3)	NLJD (Stage 6)	Physical confirm
Fully OFF	NLJD (Stage 6) — only active electronic method	Optical retroreflection (Stage 3) — passive, always works	X-ray / backscatter
Wired to NVR	PoE/LAN scan (Vol 6 §5)	Optical retroreflection	Cable trace / borescope
Budget: $0 (phone only)	IR-emitter via front cam	Phone flash + front cam retroreflection (< 1–2 m)	Physical inspect every suspect object
Budget: < $200	SpyFinder Pro SF-103P (~$148)	FLIR ONE Gen 3 (~$199)	Borescope (~$50)
Budget: unlimited	NLJD: REI ORION 2.4 HX + 900 HX	Full thermal survey + HeatDeCam approach	X-ray / backscatter

15.3.2 Wired-camera detection track

Source: Vol 4 §4.2. Wired cameras (coaxial composite, Cat5 PoE IP) are invisible to every RF and Wi-Fi method. These cable-side methods are required.

Table 5 — 3.2 Wired-camera detection track

Method	What it finds	Tool	Limit
Cable tracing	Wiring concealed in walls, conduit, furniture	Triplett Fox & Hound 3399 (~$95, spec-sourced)	Requires access to cable end
TDR	Impedance discontinuities (splices, taps) along a cable run	Dedicated TDR or cable analyzer	Locates discontinuity; human inspects at that point
PoE/LAN scan	IP cameras drawing PoE power over Cat5/6	ONVIF probe; nmap port 554/8899/80	Fully visible on the wire even without Wi-Fi
Find-the-recorder + back-trace	The DVR/NVR the wired camera feeds	Physical inspection of utility areas	Recorders typically in locked enclosures
PLC (powerline-carrier video)	Legacy analog video modulated onto 120/240 VAC power line between camera and receiver	Conducted-signal detector (e.g. ComSec Lockhart)	Specialist tool; see Vol 4 §4.2 for full treatment

---

15.4 Camera-vendor OUI quick-list

Condensed from Vol 3 §2.2 (primary; web-verified June 2026) and Vol 5 §3.1 (additional vendors + cloud services; spec-sourced additions marked). OUI = first 24 bits of MAC address. Use as a fast-filter triage during Fing or Marauder scan. A match is a flag — proceed to mDNS / RTSP probe / traffic-rate correlation.

15.4.1 Camera-brand OUI table

Table 6 — 4.1 Camera-brand OUI table

Vendor	OUI prefixes	Verification	Notes
Hikvision	C0:56:E3 · BC:AD:28 · 44:19:B6 · 54:8C:81 · 24:48:45 · 0C:75:D2 · 58:03:FB¹	Web-verified Jun 2026 (6 prefixes); 58:03:FB IEEE MA-L confirmed; device-level = spec-sourced	Largest single-vendor camera OUI footprint in the IEEE DB; 6+ confirmed MA-L blocks
Dahua	90:02:A9 · 3C:EF:8C · E0:50:8B · 38:AF:29 · 08:ED:ED · 4C:11:BF	Web-verified Jun 2026	Ships under 100+ OEM brand names; Amcrest is primary Dahua OEM
Wyze	2C:AA:8E	Web-verified Jun 2026	Single block; many Wyze Cam models use Espressif (EC:FA:BC) or MediaTek — OUI resolves to chipmaker, not Wyze
Reolink	EC:71:DB	Web-verified Jun 2026	Single MA-L allocation; newer PoE models may present chipset OUIs
Amcrest	Shares Dahua OUIs (90:02:A9, etc.)	—	Dahua hardware OEM; firmware, chipsets, and OUIs typically identical to Dahua
Tapo (TP-Link)	50:C7:BF · B0:BE:76 · 6C:5A:B5 · AC:84:C6	TP-Link MA-L blocks confirmed; Tapo camera device-level = spec-sourced²	Cloud: n.tplinkcloud.com / security.iotcl.com
Eufy (Anker)	40:26:19 · 44:27:B5	Anker MA-L blocks confirmed; Eufy camera device-level = spec-sourced²	Streams via HomeBase; cloud: homebase.eufylife.com
Ring (Amazon)	74:C2:46 · 7C:E9:D3	Ring MA-L blocks confirmed; device-level = spec-sourced²	Cloud: ring.com AWS IoT; WebRTC TURN 443/3478

¹ 58:03:FB — IEEE MA-L registration confirmed for Hikvision (registered 2018-04-13). Device-level assignment to specific camera models is spec-sourced. ² IEEE MA-L assignment to the company is confirmed; which physical camera models carry this OUI is unverified at bench. Verify against live IEEE OUI DB before committing to a fingerprint database.

Key ports (ONVIF): RTSP 554 · HTTP ONVIF 80/8080 · Hikvision ONVIF 8899 · P2P/HTTPS 443. Lookup: standards-oui.ieee.org (authoritative) · maclookup.app · local nmap-mac-prefixes (offline).

15.4.2 Generic-module OUIs — elevated concern

Source: Vol 5 §3.1 and Vol 3 §2.4. These OUIs resolve to chipset vendors, not camera brands. Any match demands deeper investigation — proceed to mDNS discovery and traffic-rate correlation.

Table 7 — 4.2 Generic-module OUIs — elevated concern

OUI prefix	Registered to	Camera context
EC:FA:BC · A4:CF:12	Espressif Systems	Generic ESP32/ESP8266 Wi-Fi module — any ESP32-based camera, lock, sensor, or IoT device
74:DA:38	Edimax Technology Co., Ltd.	Common in low-cost IP camera modules; budget brands use Edimax modules
9C:65:F9	MediaTek Inc. (via Ralink)	MediaTek Wi-Fi chipset — common in mid-range cameras; white-label risk high
00:E0:4C	Realtek Semiconductor Corp.	Realtek WLAN — similar situation to MediaTek

15.4.3 OUI fragility caveats

Source: Vol 3 §2.4. Three limits apply on every sweep.

1. MAC randomization. IEEE 802.11-2020 per-SSID MAC randomization (LAA bit set: first-octet ...1x in binary). Most purpose-built Hikvision/Dahua/Reolink cameras do NOT randomize. Generic ESP32-based cameras may randomize per boot. A randomized MAC cannot match any OUI entry — traffic-rate correlation (Vol 3 §5) is the only remaining detection path.

2. Generic Wi-Fi module. Many budget cameras use off-the-shelf chipsets — OUI resolves to Espressif, MediaTek, Realtek, or Edimax, not the camera brand. A mismatch does not clear the device.

3. White-label manufacturing. Chinese manufacturers supply hardware to hundreds of Western brands (Swann, ZOSI, Night Owl, Amazon-sold brands). These may present the OUI of the underlying manufacturer (Dahua or Hikvision) or a different module OUI.

---

15.5 Lens-glint and IR-emitter technique

Condensed from Vol 4 §5–§6 (physics and procedures) and Vol 11 §6.3–§6.5 (phone implementation). Both techniques work regardless of network presence or encryption.

15.5.1 SpyFinder Pro SF-103P procedure card

Source: Vol 4 §5.2 and Vol 12 §2.4. Physics: every camera lens retroreflects coaxially-placed light back toward the illuminator because the lens elements and CMOS sensor form a cat’s-eye retroreflector. Detection is power-state agnostic — a powered-off lens still retroreflects.

Equipment: SpyFinder Pro SF-103P (~$148; web-verified). Red LED ring surrounding a central optical viewfinder (~620–640 nm).

Distinguishing characteristic: A camera lens returns a persistent, depth-recessed glint that tracks with illumination angle. A non-lens specular reflector (metal screw, glass bottle) flashes briefly at one angle and vanishes.

Table 8 — 5.1 SpyFinder Pro SF-103P procedure card

Step	Action
1	Darken the room (close curtains, reduce lamp brightness)
2	Start at room entry; sweep in slow horizontal strips, top to bottom
3	Peer through the viewfinder while sweeping the LED ring across all surfaces
4	Prioritize: smoke detectors, USB chargers, alarm clocks, picture frames, air vents, decorative objects
5	Repeat from a second vantage point (recessed lenses may reflect at only certain angles)
6	Mark every glint — sticky note or phone annotation
7	Physically inspect every marked location — no exceptions

Detection range: 0.6–14 m stated; conservatively 2–4 m for pinhole apertures in ambient lighting (spec-sourced; bench verify).

False-positive discipline: The false-positive rate in a furnished room is high — 5–20 non-camera glints (eyeglasses, metal screws, glass bottles, mirrors) before (or instead of) a camera. The temptation to stop inspecting after the first few false positives is the primary operational failure mode.

15.5.2 IR-LED spotting — phone front-camera card

Source: Vol 4 §6 and Vol 11 §6.4. Physics: night-vision cameras emit 850 nm or 940 nm IR LEDs for scene illumination. The phone front (selfie) camera typically lacks the IR-cut filter present in the rear main camera.

Prerequisite test (do once per phone model):

Table 9 — Prerequisite test (do once per phone model):

Step	Action	Expected result
1	Find a TV remote control (940 nm IR LED)	—
2	Point remote at rear main camera while pressing a button	Nothing visible (rear cam has IR-cut filter)
3	Point remote at front camera while pressing a button	White/purple glow visible if front cam is IR-sensitive

If Step 3 shows no glow: front camera has a full IR-cut filter — skip this technique.

Sweep procedure:

Table 10 — Sweep procedure:

Step	Action
1	Darken the room completely (all lights off, curtains closed)
2	Open front camera in video mode; disable night mode and flash
3	Sweep slowly across smoke detectors, USB outlets, picture frames, decorative objects, air vents
4	An active 850/940 nm IR LED array appears as a bright white or purple-tinted cluster — unmistakable in a dark room
5	Note glow direction; turn lights on; physically inspect the source

---

15.6 App shortlist

Condensed from Vol 11 §6.1–§6.5. Phone-based tools for field sweeps.

Table 11 — 6. App shortlist

App / technique	Platform	Cost	What it catches	What it misses	Honest rating
Fing (network scanner)	iOS + Android	Free	Wi-Fi cameras on the same network — vendor OUI, mDNS service (_rtsp._tcp, _onvif._tcp), open RTSP port 554. Services view flags camera indicators independently of OUI.	Cameras on a separate network; cellular cameras; SD-only and wired cameras; cameras with randomized MACs (appear as “Unknown”).	Useful — do this first in every field sweep.
Hidden Camera Detector (magnetometer apps)	iOS + Android	Free	Strong static magnetic fields from permanent magnets (mounting brackets, AC transformer cores).	Nearly all cameras (most have no significant magnetic signature). “99% accuracy” claims are misleading — FP rate in a furnished room is high; TP rate against non-magnetic SD-only cameras is zero by definition.	Low confidence; corroborating cue only. A magnetic anomaly at a suspected location is a reason to look more carefully — not evidence of a camera on its own.
Glint Finder (retroreflection via phone flash)	Android	Free (APK)	Camera lenses at close range (< 1–2 m) — retroreflects phone flash LED as a blinking bright spot. Same physics as SpyFinder Pro but inferior geometry: flash LED is 2–5 cm off-center from the camera sensor.	Pinhole cameras at normal sweep distance (> 1–2 m); lenses where off-axis geometry prevents retroreflected spot from reaching the sensor.	Useful at < 1–2 m; significantly inferior to SpyFinder Pro at normal sweep distances. Supplement, not primary sweep tool.
IR-LED spotting (front cam, no app)	iOS + Android	Free	Powered cameras with active 850/940 nm IR illumination in complete darkness.	Cameras without IR LEDs; cameras in standby (IR off); powered-off cameras; phone models with full IR-cut front cameras.	Useful zero-cost supplement; requires front-cam IR sensitivity check first.
Phone flash + front camera (no app)	iOS + Android	Free	Medium-to-large-aperture camera lenses at < 2 m — front cam as viewer with rear flash approximates coaxial geometry.	Pinhole lenses at distance; inferior geometry vs. Glint Finder without the toggle assist.	Quick first pass at < 2 m; SpyFinder Pro is better at any meaningful sweep distance.

---

15.7 What RF cannot catch

This is the most important field reminder in the series. Condensed from Vol 1 §7 (constraint #1), Vol 4 §2.1, and Vol 12 §1.

╔═══════════════════════════════════════════════════════════════════╗
║                                                                   ║
║         W H A T   R F   C A N N O T   C A T C H                  ║
║                                                                   ║
║   RF detection — spectrum sweep, Wi-Fi scan, OUI matching,       ║
║   network scan — is physically blind to:                         ║
║                                                                   ║
║   ● SD-only cameras (microSD / eMMC / USB flash storage)         ║
║     No radio hardware. No transmission. Nothing to receive.      ║
║     Cost: $20–$50 AliExpress class. 1080p. Motion-trigger.       ║
║     4–6 hours battery. Housing the size of a drywall screw.      ║
║                                                                   ║
║   ● Wired cameras (coaxial composite / Cat5 PoE to NVR)          ║
║     No wireless emission at any point in the signal path.         ║
║     The NVR is typically in a locked enclosure elsewhere.        ║
║                                                                   ║
║   ● Any camera powered off before the sweep begins               ║
║     (thermal, IR, and EMI methods also fail)                     ║
║                                                                   ║
║   This is NOT a limitation of instrument quality. It is a        ║
║   physical law. A more sensitive RF receiver cannot detect a     ║
║   device that emits nothing, any more than a more sensitive       ║
║   microphone can record a room that is silent.                   ║
║                                                                   ║
║   ▶ "Clean RF sweep" means: no RF-emitting camera was detected. ║
║   ▶ "Clean RF sweep" does NOT mean: no camera is present.       ║
║   ▶ The sweep is complete when Stage 7 is complete —             ║
║     NOT when Stage 2 is clean.                                   ║
║                                                                   ║
╚═══════════════════════════════════════════════════════════════════╝

The non-emitting camera gap. The only methods that catch SD-only and wired cameras:

Table 12 — The non-emitting camera gap. The only methods that catch SD-only and wired cameras

Method	Power-state coverage	Requires
Optical lens retroreflection (Stage 3)	All states — works powered-off	Exposed lens in sweep line of sight; SpyFinder Pro recommended
NLJD (Stage 6)	All states — works powered-off	REI ORION; skilled operator; ~$10k–$20k (spec-sourced)
Thermal imaging (Stage 5)	Powered-on only	Camera generating > 5 °C above ambient (spec-sourced)
Physical search / borescope (Stage 7)	All states	Operator access to the physical object
Cable tracing / TDR	Wired cams only	Access to cable end or cable run

Honest ceiling (repeat at every sweep conclusion):

A clean sweep through all seven stages represents the most defensible technique available. It is not a guarantee. A professionally installed SD-only pinhole camera with a deeply recessed lens, thermal insulation, and positioning that blocked NLJD probe access can survive a thorough sweep.

---

15.8 Glossary / quick reference

Key terms from the CameraDetection series. The seven terms named in the task spec (OUI, ONVIF, RTSP, NLJD, TDR, retroreflection, IR-cut) plus the most-referenced supporting terms.

Table 13 — 8. Glossary / quick reference

Term	Definition
OUI	Organizationally Unique Identifier — the first 24 bits of a MAC address, assigned by the IEEE Registration Authority to the device manufacturer. Used for vendor fingerprinting in Fing and Marauder scans. Source: Vol 3 §2.1.
ONVIF	Open Network Video Interface Forum — industry standard for IP camera interoperability. Profile S covers video streaming and PTZ. Cameras announce via WS-Discovery (UDP 3702) and expose a SOAP/HTTP management API (typically port 80 or 8899 for Hikvision). Source: Vol 3 §3.4.
RTSP	Real-Time Streaming Protocol — control protocol for IP camera video streams (DESCRIBE / SETUP / PLAY). IANA port 554/TCP. A responding RTSP server on port 554 is near-certain confirmation of a camera or NVR. Source: Vol 3 §4.1.
NLJD	Non-Linear Junction Detector — transmits at frequency f₀; receives at 2f₀ and 3f₀ (harmonics produced only by non-linear semiconductor junctions). Detects any semiconductor regardless of power state. REI ORION 2.4 HX / 900 HX are the reference professional instruments. Source: Vol 4 §7.
TDR	Time-Domain Reflectometry — locates impedance discontinuities (splices, taps, connectors) along a cable run by transmitting a pulse and measuring the round-trip time of the reflected echo. Used to locate coaxial or Cat5 extensions associated with wired cameras. Source: Vol 4 §4.2.
Retroreflection	Property of an optical surface that returns incident light back toward its source with high efficiency (within the acceptance cone). Camera lenses retroreflect because the lens elements and CMOS sensor form a cat’s-eye cavity. Exploited by the SpyFinder Pro. Source: Vol 4 §5.1.
IR-cut filter	Optical filter that blocks near-infrared wavelengths (typically > 700 nm) from reaching the CMOS sensor. Present in most main rear phone cameras; often absent or partial in front (selfie) cameras, enabling IR-LED spotting. Source: Vol 4 §6.2.
VBR / traffic-rate	Variable Bit Rate — video encoding mode where output bitrate varies with scene complexity. A streaming camera’s uplink bitrate rises 2–5× during motion, producing a correlated spike detectable in encrypted Wi-Fi frame sizes. The robust detection tell for Wi-Fi cameras. Source: Vol 3 §5.
RSSI-walk localization	Following the received-signal-strength gradient toward a detected camera’s physical location. RSSI = received signal strength (negative dBm; less negative = stronger). Smoothed with EMA filter. Source: Vol 5 §5.
PIM / Rusty-bolt	Passive Intermodulation — harmonic generation by oxidized metal-to-metal contacts (corroded screws, HVAC joints). Primary NLJD false-positive source. Discriminated from real semiconductor junctions by: (1) 2nd/3rd harmonic ratio (PIM is 2nd-heavy); (2) tap test (PIM signal modulates on physical tap; semiconductor is mechanically stable). Source: Vol 4 §7.2–§7.3.
mDNS	Multicast DNS (RFC 6762) — zero-configuration service announcement via multicast 224.0.0.251, port 5353. IP cameras announce _rtsp._tcp and _onvif._tcp service records within seconds of joining a network. Detected by Fing and avahi-browse. Source: Vol 3 §3.1.
MAC randomization	IEEE 802.11-2020 per-SSID MAC randomization to prevent cross-network tracking. Locally administered address (LAA bit set: first-octet ...1x in binary). A randomized MAC cannot be matched against any OUI entry — traffic-rate correlation becomes the only Wi-Fi-layer detection path. Source: Vol 3 §2.4.
Deauth-confirm	Consenting-environment-only technique: send 802.11 deauthentication frames to a suspected camera’s BSSID and observe whether it reconnects (confirming it is a live Wi-Fi client). Requires explicit authorization. See ../../_shared/legal_ethics.md. Source: Vol 3 §6.
LAPD	Lens-Assisted Photography Detection — research system (ACM SenSys 2021) using smartphone time-of-flight sensor to detect camera lens retroreflection. 88.9% detection at 16.7% FP rate in real-world evaluation. Requires Sony IMX516 iToF hardware. Proof-of-concept; not a shipping product. Source: Vol 4 §5.3.
CamRadar / EM Eye	EMI side-channel research systems. CamRadar (IMWUT 2022): 93.23% detection via AM modulation of camera clock EMI in controlled lab. EM Eye (NDSS 2024): reconstructs video from unintentional EM leakage. Both proof-of-concept; neither is a turnkey sweep tool. Source: Vol 4 §8.2–§8.3.

---

This card set synthesizes the complete CameraDetection deep dive — Vols 1–14. For physics derivations, bench procedures, and full false-positive profiles, return to the originating volume cited at the top of each card. Legal and ethical posture governing every stage of every sweep: ../../_shared/legal_ethics.md.