Camera Detection · Volume 4
CameraDetection Volume 4 — Detection Physics III: Finding Non-Emitting Cameras
Power-state capability matrix · retroreflection · NLJD · EMI side-channel · thermal · physical search
4.1 About this volume
This volume is the hardest chapter in the CameraDetection series: finding cameras that produce no radio-frequency emission of any kind. SD-only cameras record to a local microSD card and are retrieved physically. Wired cameras transmit over coaxial cable or Cat5 to a local DVR/NVR and never put a signal in the air. Both classes are completely invisible to every RF method — Wi-Fi scanner, broadband bug detector, spectrum analyzer, software-defined radio. No matter how sensitive the instrument, if there is no emission, there is nothing to receive.
This volume is the find-them arc’s centerpiece, organized around a single organizing artifact: the power-state capability matrix, which maps each detection method against the camera’s operating state (powered and capturing / powered on standby / fully powered off) and gives an honest reliability rating for each cell. Every method gets its own section with schematic-grade detail — how it works physically, what it catches, what it misses, and what its false-positive profile looks like in a real sweep environment.
Provenance. This volume is authored spec- and survey-sourced from public material: vendor pages, academic papers, patent documents, and open-source repositories. Every quantitative claim carries either a verified citation (web-verified against the published source during authoring) or an explicit spec-sourced label pending bench verification.
Four standout research results are cited in this volume. All four are proof-of-concept systems demonstrated in controlled laboratory conditions. None is a shipping commercial product. They are labeled throughout.
[FIGURE SLOT — Vol 4, § 1] Overview photo showing a professional TSCM (technical surveillance countermeasures) sweep kit laid out: a lens retroreflection finder, a thermal camera, and an NLJD wand. Source: Photo Helper search “TSCM counter surveillance equipment sweep kit” — or vendor product page. Caption when filled: “Figure 4.1 — A professional TSCM sweep kit: lens finder (left), FLIR thermal attachment (center), REI ORION NLJD (right). Each instrument flags a different anomaly class. Photo: File:Name.jpg by
. .“
4.2 The non-emitting problem framed
4.2.1 Why RF fails completely
Every radio-frequency detection method — from a $20 K18 broadband power detector to a $10,000 spectrum analyzer to a purpose-built Wi-Fi OUI scanner — works by receiving an electromagnetic signal that the target device emits. Remove the emission and the instrument has nothing to process. The failure mode is not sensitivity; it is a category error. A more sensitive RF receiver cannot detect a device that emits nothing, any more than a more sensitive microphone can record a room that is silent.
Non-emitting cameras fall into two sub-types:
SD-only cameras record to a local flash storage device — a microSD card, a USB drive, or eMMC — and contain no radio hardware whatsoever. They are powered (LiPo battery or mains), they run their CMOS sensor, they write frames to storage, but they transmit nothing. The attacker retrieves the storage media physically after the recording session. These are the cheapest and most concealable covert cameras on the market — a sub-$20 AliExpress “pinhole screw camera” is a typical example: 1080p sensor, wide-angle lens, loop-recording to microSD, motion-trigger, 4–6 hours of battery life in a housing the size of a drywall screw.
Wired cameras transmit video over a physical cable — coaxial (for analog composite video to a DVR), Cat5/Cat6 (for IP cameras over PoE Ethernet to an NVR), or proprietary cable. No wireless emission occurs at any point in the signal path. These appear in environments where the attacker has access to build the wiring infrastructure: an employer installing a covert camera in a break room, or a property owner who routed cable through walls before renting the space. The NVR or DVR is typically in a locked enclosure in a utility room or closet.
The structural implication: a defender who uses only RF methods and reports “clean” has not ruled out a non-emitting camera. This is not a limitation of any specific RF tool; it is a physical law. The three honest constraints established in Vol 1 §7 place this prominently: constraint #1 is that non-emitting cameras defeat every RF method. This volume is where the reader learns what does catch them.
4.2.2 The through-line: instruments point, humans confirm
Through-line, stated here and repeated at each method: No instrument finds a camera. It flags an anomaly — a glint, a thermal spot, a harmonic response, a correlated EM emanation — that a human then runs to ground by physical inspection. The instrument’s job is to reduce the search space. The human’s job is to convert an anomaly flag into a confirmed find or a confirmed false positive. Any sweep discipline that stops at the instrument result and does not physically investigate every flag has not completed the sweep.
This principle is especially important for non-emitting camera detection because every method in this volume generates false positives from ordinary household objects. A red-ring lens finder will return a glint from eyeglasses, a metal screw, a glass bottle, and a picture frame backing before it returns one from a camera lens. An NLJD will ring on every semiconductor junction in the room — including the occupant’s smartphone, laptop, and USB charger. A thermal camera will flag a warm lamp transformer, a power strip, and a cat before it flags a camera module. The instrument narrows the search; the human confirms the hit.
4.2.3 The power-state split: what it means for method selection
The table in §4 is organized around a three-state model of the camera’s operating condition:
- Powered + capturing: the camera is running, recording, and fully active. The image sensor is reading out frames; any IR LEDs are active; the main regulator is loaded; the processor is writing to storage or transmitting.
- Powered / standby: the camera is powered but idle — waiting for a motion trigger, in a low-power sleep state, or otherwise not actively recording. The main regulator may be lightly loaded; IR LEDs are off; the image sensor may be in low-power mode.
- Fully OFF: the camera is de-powered — the battery is disconnected or depleted, or the device has been switched off deliberately. No current flows; no active components operate. Only passive physical properties (lens, semiconductor junctions, ferrous materials, X-ray-opaque geometry) remain.
Only three methods in this volume work when the camera is fully off: optical lens retroreflection, NLJD, and X-ray/backscatter. This is the most important fact in the entire volume, because an attacker who knows a sweep is coming can simply power off the device. The methods that catch a powered-off camera are the highest-value tools in the professional TSCM toolkit.
4.3 The reader’s map
The table below maps the defender’s suspicion about the camera’s state to the method that best serves that state. Use this as a quick-reference before the full per-method sections.
Table 1 — 3. The reader's map
| Suspected camera state | First choice | Second choice | Definitive confirmation |
|---|---|---|---|
| Unknown / any | Optical lens retroreflection (§5) — works in all states | NLJD (§7) — works in all states if budget allows | Physical search / borescope (§11) |
| Powered and recording | Thermal triage (§9) — fast, broad coverage | IR-emitter spotting (§6) if night-vision likely | Optical retroreflection + physical confirm |
| Powered, standby | Optical retroreflection (§5) | NLJD (§7) | Physical confirm |
| Fully OFF | NLJD (§7) — the only active electronic method | Optical retroreflection (§5) — passive, always works | X-ray / backscatter (§10.3) |
| Wired to NVR, active | PoE/LAN scan (Vol 6 §5) | Optical retroreflection | Cable trace / borescope |
| Budget: $0 (phone only) | IR-emitter spotting via front camera (§6) | Glint from phone flashlight (no dedicated finder) | Physical inspect every suspected object |
| Budget: < $200 | SpyFinder Pro / SF-103P lens finder ~$148 (§5.2) | FLIR ONE for thermal triage ~$150–400 (§9.2) | Borescope ~$50 (§11) |
| Budget: no limit | NLJD: REI ORION 2.4 HX + 900 HX (§7.4) | Full thermal survey + HeatDeCam approach (§9) | X-ray / backscatter (§10.3) |
┌──────────────────────────────────────────────────────────────────────┐
│ METHOD DECISION TREE — by suspected power state │
└────────────────────────────────────┬─────────────────────────────────┘
│
What is the camera's suspected power state?
│
┌───────────────────────┼────────────────────────┐
│ │ │
▼ ▼ ▼
┌───────────────────┐ ┌───────────────────┐ ┌─────────────────────┐
│ POWERED + │ │ POWERED / │ │ FULLY OFF │
│ CAPTURING │ │ STANDBY │ │ (or unknown state) │
├───────────────────┤ ├───────────────────┤ ├─────────────────────┤
│ Thermal (§9) │ │ NLJD (§7) │ │ Optical refl. (§5) ●│
│ IR-emitter (§6) │ │ AC-mag. (§10.2) │ │ NLJD (§7) ●│
│ Optical (§5) │ │ Optical (§5) │ │ X-ray (§10.3) ●│
│ EMI / SDR (§8) │ └───────────────────┘ │ Borescope (§11) ●│
└───────────────────┘ └─────────────────────┘
● = power-state-independent: effective even when the camera is fully OFFCallout — powered-off cameras: Only three methods in this volume catch a camera that is fully powered off: optical lens retroreflection (§5), NLJD (§7), and X-ray/backscatter (§10.3). Every other method — IR-emitter spotting, EMI side-channel, thermal, acoustic — requires the camera to be powered. If an attacker powers off a device before a sweep, thermal and EMI methods are blind. Optics and NLJD are not.
4.4 The power-state capability matrix
This table is the organizing artifact for the entire volume. Reproduce it in your working notes; refer back to it when planning a sweep. The matrix rows are detection methods; the columns are the three camera power states; the final two columns give cost range and honest reliability.
Table 2 — 4. The power-state capability matrix
| Method | Powered + capturing | Powered / standby | Fully OFF | Cost range | Honest reliability |
|---|---|---|---|---|---|
| Optical lens retroreflection (SpyFinder Pro / SF-103P; LAPD ToF+DL research) | ✅ | ✅ | ✅ | $30–$400 consumer; LAPD = research only | Most universal: works in all states; power-state agnostic because the lens is a passive optical element. False-positive-heavy — every glint physically inspected. Spec-sourced detection range; bench verify. |
| IR-emitter spotting (850/940 nm LEDs via phone front camera) | ✅ (requires IR LEDs to be active) | — (LEDs usually off in standby) | ❌ | Free (phone front cam) | Reliable in darkness for IR-equipped cameras actively illuminating. Misses: cameras with no IR LEDs, cameras in standby (IR off), fully-off cameras. Simple and zero-cost for triage. |
| NLJD (REI ORION 2.4 HX / 900 HX) | ✅ | ✅ | ✅ | ~$10k–$20k (spec-sourced) | The powered-off method. Rings every semiconductor junction regardless of power state. 2nd/3rd-harmonic ratio + tap-test rejects most rusty-bolt false positives. High SNR indoors; specialist instrument; skilled-operator dependent. |
| Incidental EMI side-channel (CamRadar IMWUT’22; EM Eye NDSS’24) | ✅ | Clock emanation only (weak) | ❌ | SDR: $30 RTL-SDR to $2,000+ USRP B210 | Research-grade. ~93% in CamRadar’s controlled lab; SNR/clutter-limited in real rooms. Not turnkey — requires SDR expertise and post-processing. Both systems are proof-of-concept, not shipping products. |
| Thermal imaging (HeatDeCam CCS’22; FLIR ONE) | ✅ (device must be warmed up) | Marginal (low-power = less heat) | ❌ | $150–$400 FLIR ONE; $5,000–$15,000 pro | Fast triage for a broad area. Defeated by insulation, ambient heat, low-power sensors, nearby warm electronics. HeatDeCam: >95% in lab with ML; manual triage less reliable. Research-grade ML, not shipping product. |
| Acoustic (IR-cut filter click; coil whine) | ✅ (at light-level transitions) | Maybe | ❌ | Low / free | Niche corroboration only. Only catches cameras with electromechanical IR-cut filters at the moment of transition. Not a sweep method; a confirmation cue. |
| AC magnetometer (oscillator field; Lockhart class) | ✅ | ✅ (if oscillator running) | ❌ (no current = no AC field) | $1,000–$5,000 | Detects AC magnetic field from running oscillators and switching regulators. Corroborator at close range. False-positive-heavy in any occupied room. |
| DC magnetometer (ferrous components, permanent magnets) | ✅ | ✅ | Partial (ferrous only) | ~Free (phone compass) | Low standalone value. Corroborating cue only — most camera modules contain at least one ferrous component. Very short range (~5 cm). |
| X-ray / backscatter (Viken class) | ✅ | ✅ | ✅ | $20,000–$100,000+ (spec-sourced) | Definitive on enclosed objects, wall sections, luggage. Sees camera geometry through opaque barriers. Specialist operator + radiation safety overhead + licensing requirements in most jurisdictions. Professional TSCM only. |
| Borescope / physical search | ✅ | ✅ | ✅ | $50–$2,000 | The universal confirmation step. Reduces every anomaly to a confirmed find or a confirmed false positive. Not a triage tool — it is the conclusion of a sweep. |
4.4.1 Reading the matrix
Three columns carry the most weight in sweep planning:
The “Fully OFF” column. Only optical retroreflection, NLJD, X-ray, and borescope/physical have a ✅ here. If you are sweeping a room where an attacker might have anticipated the sweep and powered down the device, every other method gives you false assurance. In a professional TSCM engagement, this column dictates which instruments are non-negotiable.
The cost column. The most powerful fully-off methods — NLJD and X-ray — are also the most expensive by an order of magnitude. Optical retroreflection with a $148 SpyFinder Pro is the best cost-performance tool in the matrix: it is the only consumer-priced method that covers all three power states. For a traveler doing an Airbnb sweep, it is the single most valuable addition to the phone-based toolkit.
The honest reliability column. No cell in this matrix says “100%.” Every method has failure modes and false-positive profiles. The honest ceiling on any single method is well under 100%; the honest ceiling on a layered sweep that combines optics + thermal + NLJD is materially higher but still not absolute. A sweep that returns clean means “no anomaly was flagged,” not “no camera is present.”
4.4.2 Wired-camera addendum
The matrix above covers the non-emitting camera as an isolated device. Wired cameras add a distinct detection track that does not depend on the camera module’s own properties:
Table 3 — The matrix above covers the non-emitting camera as an isolated device. Wired cameras add a distinct detection track that does not depend on the camera module's own properties
| Wired-detection method | What it finds | Tool | Limit |
|---|---|---|---|
| Cable tracing (Fox & Hound) | Wiring concealed in walls, conduit, furniture | Triplett Fox & Hound 3399/3388 | Requires access to the cable end; cannot identify cable purpose without inspection |
| TDR (time-domain reflectometry) | Impedance discontinuities (splices, taps, connectors) in a cable run | Dedicated TDR; some cable analyzers | Locates a discontinuity along the cable length; does not identify the device at the end — points to a spot, human inspects |
| Find-the-recorder and back-trace | The DVR/NVR that the wired camera feeds | Physical inspection of utility areas | Requires access to the recorder location; recorders are often locked |
| PoE/LAN scan | IP cameras drawing PoE power over Cat5/6 | ONVIF probe, nmap port 554/8899/80, PoE wattage monitoring | Wired IP cameras are fully visible on the wire — RTSP/554, ONVIF/8899, DHCP client entry — even if they never use Wi-Fi |
| PLC powerline-video carrier | Analog video over mains wiring (Bortox/7inova class) | Conducted-signal detector (Lockhart, komcept ComSec) | Niche — only catches legacy powerline-carrier video installations |
Full coverage of the wired-camera detection track is in Vol 6 §5.
4.4.3 The honest ceiling
Callout — the honest ceiling of any sweep: The power-state matrix describes what each method can theoretically flag. The practical ceiling depends on operator skill, room geometry, ambient conditions, and the specific camera model. An expert TSCM sweep that combines optical retroreflection, NLJD, and physical borescope inspection of all flagged anomalies represents the best defensible technique currently available to a civilian sweeper. It is still not 100%. A professionally installed, well-insulated SD-only pinhole camera at long range, with a clean semiconductor count similar to that of surrounding wall hardware, can defeat a careful sweep. Stating this limitation is part of the professional standard.
4.5 Optical lens retroreflection
Optical lens retroreflection is the single most universally applicable detection method in this volume. It works regardless of whether the camera is powered on or off, whether it has any electronics at all, and whether it is the most expensive spy camera or the cheapest pinhole screw. The method exploits a physical property of every camera lens: it retroreflects light back toward the illumination source with high efficiency when illuminated coaxially.
[FIGURE SLOT — Vol 4, § 5] Close-up photo of a SpyFinder Pro SF-103P or equivalent lens retroreflection finder showing the red LED ring array surrounding the viewing aperture. Source: Photo Helper search “SpyFinder Pro lens finder LED ring” — or vendor product page at spyfinder.com. Caption when filled: “Figure 4.2 — The SpyFinder Pro SF-103P: a ring of red LEDs surrounding a small optical viewfinder. The user peers through the viewfinder while illuminating the scene with the LED ring; camera lenses return a distinctive glint visible through the eyepiece. Photo: courtesy of SpyFinder.”
4.5.1 Why every lens retroreflects: the optics
A camera lens is an optical system composed of multiple lens elements — typically two to eight glass or plastic elements in a compound arrangement, including at least one concave and one convex surface. When a light source is placed at or near the observer’s viewpoint (coaxial geometry), the lens system acts as a partial corner retroreflector:
COAXIAL ILLUMINATION AND RETROREFLECTION
Observer's eye
or viewing aperture
│
│ ◄── retroreflected glint
│
┌─────▼───────────────────────────────────┐
│ LED ring illumination ──────────────► │
└─────────────────────────────────────────┘
│
▼ (light travels toward the scene)
┌──────────────────────┐
│ CAMERA LENS SYSTEM │
│ │
│ Element 1 (convex) │
│ )( │
│ │
│ Element 2 (concave)│
│ () │
│ │
│ [... more elements]│
│ │
│ CMOS sensor plane │
│ ════ │
└──────────────────────┘
Each lens surface partially reflects.
The concave-convex element pair forms
a cat's-eye retroreflector cavity:
light entering the front returns
toward its source with high efficiency.
The CMOS sensor itself (a flat, nearly-
specular surface) also contributes a
direct retroreflective component.
Combined: a distinctive, intense glint
visible ONLY from the direction of the
illumination source — the coaxial geometry
requirement.The physics: each air-glass interface in the lens system reflects 4–8% of incident light (Fresnel reflection). In a multi-element lens, at least one interface will be oriented to return reflected light approximately back along the incident ray path. The concave rear elements of a lens system — combined with the flat specular surface of the CMOS sensor at the focal plane — create a cat’s-eye retroreflector effect. The light that enters the pinhole aperture undergoes partial reflection at each element and some fraction of it returns coaxially toward the source.
The retroreflection is not polarization-selective at first order, which is both a feature (works with any illumination) and a limitation (every glossy curved surface also retroreflects, generating false positives — see §5.5).
The retroreflective efficiency scales with the lens aperture: a fast lens (f/1.8) returns more light than a pinhole (f/22). Even the tiniest pinhole camera lens — a 1.6 mm F2.4 module — returns a detectable glint when illuminated with a bright LED ring at 2–5 m range. The glint is spectrally neutral (returns whatever wavelength was sent), which is why red-LED and IR-LED finders both work.^[The spectral neutrality is because glass transmission at 600–950 nm is uniformly high; anti-reflection coatings are optimized for visible wavelengths but still leave partial reflection at IR wavelengths used by 940 nm finder LEDs.]
4.5.2 Red and IR ring finders: SpyFinder Pro and SF-103P
The SpyFinder Pro (model SF-103P, ~$148 USD, web-verified) is the reference consumer lens retroreflection finder. Its operating principle is straightforward:
- A ring of high-brightness red LEDs (approximately 620–640 nm) surrounds a small optical viewfinder aperture, establishing the coaxial illumination geometry.
- The operator peers through the viewfinder while sweeping the LED ring slowly across walls, objects, furniture surfaces, and ceiling tiles.
- Camera lenses appear as a bright, persistent glint that tracks with the illumination angle — distinct from specular surface flashes that flash and disappear as the angle changes.
The distinguishing characteristic is persistence and directionality: a camera lens’s cat’s-eye retroreflection returns light over a range of illumination angles (the acceptance cone of the lens), creating a glint that persists as the operator moves. A non-lens specular reflection (metal screw, glossy plastic) flashes briefly at a single angle and vanishes.
Operating technique:
- Darken the room if possible; reduces ambient competition with the glint
- Sweep methodically: horizontal strips at eye level, then up (toward smoke detectors, ceiling tiles), then down (toward baseboards, outlets)
- Move slowly — the finder works best at walking pace or slower
- Operate at 1–5 m range; glints are detectable at up to ~8–10 m in a darkened room (spec-sourced; SpyFinder vendor data)
- Mark every glint and physically inspect the source
Some entry-level finders use a broader ring of white or red LEDs without a true coaxial viewfinder — these are less precise and generate more false positives. The coaxial geometry (LED ring centered around the observation point) is essential for the technique to work reliably.
Near-IR variants (such as finders using 850 nm or 940 nm LEDs) are often called “IR lens finders.” They work identically but are invisible to the human eye, requiring a phone camera or IR-sensitive viewer to observe the returned glint. These are less common in consumer products but appear in some professional TSCM kits.
4.5.3 LAPD: ToF plus deep learning, SenSys 2021
Research proof-of-concept — not a shipping product. The LAPD system described here was demonstrated in a controlled academic study. It is not available as a consumer or professional tool. Its results are specific to the tested hardware configuration and experimental conditions.
Citation (web-verified): Sami, Tan, Sun, Han — “LAPD: Hidden Spy Camera Detection using Smartphone Time-of-Flight Sensors” — ACM SenSys 2021 (19th ACM Conference on Embedded Networked Sensor Systems).^[Sami S, Tan SRX, Sun B, Han J. LAPD: Hidden Spy Camera Detection using Smartphone Time-of-Flight Sensors. Proc. ACM SenSys 2021. DOI: 10.1145/3485730.3485941. Verified against ACM DL and Semantic Scholar entries.]
What LAPD does. LAPD (Laser Assisted Photography Detection) uses the time-of-flight sensor on a commodity smartphone to detect hidden cameras. A Sony IMX516 iToF depth sensor — present in the Samsung Galaxy S20+, S20 Ultra 5G, and Note 10+ — emits an IR laser pulse and measures the phase delay of the return signal to compute a depth map. LAPD uses this depth sensor (not the RGB camera) in a novel mode: it emits the ToF laser coaxially toward the scene and applies computer vision + a deep learning classifier to identify the retroreflective signature of a camera lens in the returned ToF data.
Performance (web-verified): In a real-world evaluation with 379 participants and diverse hiding locations:
- Detection rate: 88.9% (vs. 46.0% for unaided human visual inspection)
- False positive rate: 16.7% (the lowest among tested methods in the study)
- The detection was performed at close range — the system works best at 0.5–2 m from the target (spec-sourced from paper context)
Why it is not productized: The LAPD approach depends on a specific Sony iToF hardware configuration present in a small number of Samsung models (those using the Sony IMX516 sensor). The ToF illumination must be used in a detection-specific mode that is not available through standard camera APIs on most phones. The false positive rate at 16.7% means approximately 1 in 6 scans flags a non-camera object, requiring physical inspection of every flag. At commercial-product thresholds this is too high without further engineering.
Significance. LAPD is important because it demonstrates that the retroreflective approach — previously limited to dedicated finder hardware — can be implemented on a commodity smartphone sensor with trained ML. It validates the physical approach and defines a performance ceiling for ToF-based lens detection. Future work cited in the paper suggests that polarization discrimination (§5.4) could reduce the FP rate further.
4.5.4 Spectral-ratio and polarization discrimination
False positives from optical retroreflection finders arise because many non-lens surfaces also retroreflect: metal screws, eyeglass lenses, glass bottles, reflective tape, and jewelry. Two techniques improve selectivity by exploiting optical properties that distinguish camera lenses from generic reflectors.
Spectral-ratio discrimination exploits the anti-reflection coatings on modern camera lenses. A camera lens with a multi-layer anti-reflection coating (MgF₂, ZrO₂/SiO₂ stacks) has a wavelength-dependent reflectance — it reflects less at the design wavelength and more at other wavelengths. By comparing the retroreflected intensity at two different wavelengths (e.g., 630 nm red vs. 850 nm near-IR), an algorithm can distinguish a lens with a camera-specific AR coating from a plain glass surface or a metallic reflector. The ratio is a spectral fingerprint of the optical design.^[US Patent 8,228,591 (web-verified: handheld optics detection system using retroreflection, coaxial near-IR and visible laser illumination via rhomboid prisms, monostatic detection geometry). Assigned to a TSCM-adjacent inventor/assignee; describes the dual-wavelength discrimination architecture referenced in this section.]
Patents in the optical detection space (citations from design spec):
- US 8,228,591 — handheld optics detection system; dual-wavelength retroreflection (web-verified against Google Patents)
- US 7,858,920 — optical detection method (spec-sourced; not independently web-verified during this authoring pass; verify before citing externally)
- US 9,939,233 — related detection apparatus (spec-sourced; not independently web-verified)
- US 5,793,034 — earlier optical detection approach (spec-sourced; not independently web-verified)
Polarization discrimination exploits the fact that camera lenses rotate the polarization state of reflected light differently from metallic and Lambertian surfaces. Polarization-selective imaging combined with scene retroreflection has been demonstrated in a Nature Communications 2023 paper on a polarization 3D sensor architecture.^[Nature Comms 2023 polarization 3D sensor, cited in design spec §6; specific DOI spec-sourced, not independently web-verified during this authoring pass — cite with caution until verified.] The principle: illuminate with circularly polarized light; a perfect specular reflector returns the opposite circular polarization; a rough surface depolarizes; a camera lens with its multiple transmitting/reflecting interfaces returns a characteristic polarization signature. This is laboratory-demonstrated but not yet implemented in consumer finders.
4.5.5 False-positive profile and operational discipline
Table 4 — 5.5 False-positive profile and operational discipline
| False-positive source | Why it glints | Distinguishing feature |
|---|---|---|
| Eyeglass lens | Multi-element optics; often AR-coated | Typically large; operator can move the lens out of the field of view |
| Metal screw or bolt | Specular metallic surface | Flash is angle-sensitive (brief, not persistent); no cat’s-eye depth |
| Glass bottle or jar | Curved glass surface; partial retroreflection | Large; identifiable by context; glint is diffuse, not sharp |
| Reflective tape | Retroreflective microspheres | Wide angle response; flat, not directional |
| Jewelry (ring, earring, watch crystal) | Small curved specular surfaces | On a person; easily identified |
| Plastic dome (smoke-detector cover, security camera visible dome) | Wide-aperture convex dome | Large; if legitimate security camera, confirm purpose |
| TV screen (off) | Flat specular surface with slight curvature | Large; identifiable |
| Mirror | High-efficiency specular surface | Very strong return; flat; identifiable by size |
Warning — false-positive discipline: Every glint returned by the lens finder gets physically inspected. The false-positive rate in a furnished room is high — typically 5–20 objects return glints before a camera is found (or not found). The temptation to stop inspecting after the first few false positives is the primary operational failure mode. Establish a grid sweep pattern, log every glint, and clear each one physically before declaring the sweep complete in a given area.
4.6 IR-emitter spotting
IR-emitter spotting is a secondary detection method that requires zero dedicated hardware beyond a smartphone. It works by exploiting a fundamental difference between the phone’s front (selfie) camera and its main rear camera: many front cameras lack the IR-cut filter that blocks near-infrared radiation, making them sensitive to the 850 nm and 940 nm wavelengths emitted by night-vision camera LEDs.
4.6.1 850 nm and 940 nm night-vision LEDs
Covert cameras intended for 24-hour operation use near-infrared LED arrays to illuminate the scene when ambient light is insufficient for the CMOS sensor. Two wavelengths dominate:
Table 5 — Covert cameras intended for 24-hour operation use near-infrared LED arrays to illuminate the scene when ambient light is insufficient for the CMOS sensor. Two wavelengths dominate
| Wavelength | Visibility to human eye | Common application | Camera model examples |
|---|---|---|---|
| 850 nm | Faint red glow visible at high intensity | Most cheap spy cameras; indoor use | Majority of $20–$100 AliExpress-class spy cameras |
| 940 nm | Completely invisible to human eye | ”Covert” or “black LED” cameras marketed as undetectable | Higher-end spy cameras; wildlife cameras |
| 730–780 nm | Visible as dim red | Some older designs | Rare in modern spy cameras |
At 850 nm, the emission is faintly visible to dark-adapted human eyes as a very dim red glow at close range (< 0.5 m). At 940 nm, the emission is completely invisible to humans in all conditions. Both wavelengths are, however, well within the detection range of silicon CMOS sensors (which are sensitive from ~300 nm to ~1100 nm) — the IR-cut filter in the optical path is the only component blocking them.
IR LED array configurations in spy cameras. A typical sub-$50 hidden camera uses 4–16 IR LEDs arranged in a ring around the main lens aperture. In a smoke detector form factor, the LEDs may be distributed around the inner housing circumference. In a screw form factor, a single high-power 850 nm LED may be used. Current draw during IR illumination is typically 50–500 mA at 3.7 V, which makes powered-IR cameras detectable by thermal imaging at the LED array location as well as by direct IR imaging.
4.6.2 The phone camera’s IR sensitivity advantage
The mechanism is straightforward: a CMOS image sensor converts photons at all wavelengths it is sensitive to into electron charges, producing a signal that is read out as image data. Without an IR-cut filter in the optical path, the sensor responds to 850 nm and 940 nm light as if they were visible. With an IR-cut filter, that response is blocked.
Why front cameras often lack the IR-cut filter. The front camera in most smartphones is optimized for selfie/video-call use, where image quality requirements are lower than the main camera. IR-cut filters add cost and thickness. Many front cameras — especially lower-cost models — omit the IR-cut filter entirely, or use a thin-film filter that has incomplete blocking at 850 nm. The front-facing face-unlock / depth camera in some phones uses active IR illumination (800–940 nm), which requires that the associated sensor be IR-sensitive; this sensor is often physically adjacent to the selfie camera and may share optical paths.
Simple verification test (do this once before relying on the technique):
- Find a TV remote control (uses 940 nm IR LED for signaling)
- Point the remote at the phone’s rear main camera while pressing a button — the main camera will show nothing (IR-cut filter blocks 940 nm)
- Point the remote at the front camera while pressing a button — if the front camera is IR-sensitive, you will see a purple/white glow from the LED
If step 3 shows a glow, the front camera is usable for IR-emitter spotting. If it shows nothing, the front camera also has an adequate IR-cut filter; use a dedicated near-IR viewer or a different phone model.
Note on night/pro mode. Some phones (notably Google Pixel models in Night Sight mode and certain Samsung models in Pro mode) actively process out IR contamination in the main camera pipeline even if the sensor itself has some residual IR response. Conversely, some phone cameras marketed as having IR detection sensitivity specifically for the security use case may have the IR-cut filter removed — these are fringe models but worth knowing about.
4.6.3 Operational steps and limits
Operational steps:
- Perform the remote-control test above to confirm the front camera is IR-sensitive on the specific phone being used.
- Darken the room — turn off lights, close curtains. The technique works poorly in bright ambient light because the visible-light component of the scene image masks the relatively weak 850/940 nm emission from the camera’s LEDs.
- Open the front camera in video mode. Disable flash; disable night mode (which may apply ISP correction that masks IR).
- Sweep slowly across every plausible hiding spot. IR illumination from a spy camera appears as a bright white, purple-tinted, or reddish glow — unmistakably bright relative to the dark room scene.
- Every glow gets physically inspected.
Limits and failure modes:
Table 6 — Limits and failure modes:
| Failure mode | Cause | Effect |
|---|---|---|
| No-IR cameras | Many SD-only spy cameras omit IR LEDs entirely to reduce power consumption and size | Method is blind to these cameras even when powered |
| Powered-off cameras | IR LEDs require power | No emission to detect |
| Standby / motion-triggered IR off | Camera conserves power between triggers | IR LEDs inactive until triggered; may miss on a static scene |
| 940 nm front camera equipped with IR-cut | Phone model has adequate filter | Technique fails; use dedicated IR viewer |
| Bright ambient light | Ambient visible-light overpowers the IR emission on the sensor** | Reduce ambient light; technique works best in near-darkness |
| Long range | IR LED brightness falls off as 1/r² | Effective range is typically ≤ 5 m; shorter for lower-power LED arrays |
Bottom line. IR-emitter spotting costs nothing and requires no dedicated hardware. It is a valid first-pass triage for IR-equipped cameras in darkness. It does not replace optical retroreflection (which works on powered-off cameras) and misses all cameras without IR illumination.
4.7 NLJD
Non-linear junction detection is the most technically distinctive method in this volume. It is the only electronic detection instrument that works on a completely powered-off device, and it is the gold standard for professional TSCM sweeps that must account for the possibility that a target device was powered down before the sweep commenced.
Callout — NLJD is the powered-off method: Every other active detection technique in this volume (thermal, IR-emitter, EMI side-channel) requires the target camera to be powered. NLJD does not. It detects any semiconductor junction — diode, transistor, IC — by its non-linear response to RF excitation, regardless of whether that junction is powered. A camera that was switched off ten minutes before the sweep is as visible to an NLJD as one that is actively recording.
4.7.1 Non-linear junction physics
Every semiconductor junction — a p-n diode, a bipolar transistor junction, a MOSFET body diode, a Schottky barrier, the protection diodes in any CMOS gate input — is a non-linear device. Its current-voltage relationship is not ohmic (I = V/R) but exponential (I ≈ Iₛ · e^(V/nVₜ) for a forward-biased diode). This non-linearity means that when an alternating RF signal at frequency f₀ is applied across the junction, the junction’s response contains not only the fundamental frequency f₀ but also harmonic frequencies at 2f₀, 3f₀, 4f₀, and higher multiples. The harmonics are generated by the mixing of the signal with itself in the non-linear I-V curve.
NLJD SIGNAL GENERATION — SEMICONDUCTOR JUNCTION
NLJD transmitter Target camera (powered OFF)
TX antenna ┌──────────────────────────┐
│ │ │
│ TX: f₀ (e.g., 2.4 GHz) │ Circuit board with: │
│ ──────────────────────► │ • CMOS image sensor │
│ │ • Voltage regulators │
│ │ • Flash storage ICs │
│ │ • Any PCB component │
│ │ │
│ │ Each semiconductor │
│ │ junction acts as: │
│ │ │
│ │ V_junction (t) = non- │
│ │ linear function of │
│ │ applied f₀ │
│ │ │
│ │ ┌─────────────────────┐ │
│ │ │ I = Iₛ·e^(V/nVₜ) │ │
│ │ │ Taylor expansion: │ │
│ │ │ a₁·V + │ │
│ │ │ a₂·V² + → 2f₀ │ │
│ │ │ a₃·V³ + → 3f₀ │ │
│ │ └─────────────────────┘ │
│ └─────────────────────┬────┘
│ │
│ RX at 2f₀: "second harmonic" ◄───────────────┘
│ RX at 3f₀: "third harmonic" ◄───────────────┘
NLJD receiver
(tuned to 2f₀ and 3f₀,
isolated from f₀ return)The key advantage: the NLJD transmits at f₀ and receives at 2f₀ and 3f₀, which are completely different frequencies. The direct-path leakage of f₀ from the transmit to receive antenna is rejected by the frequency difference alone. The receiver must be isolated from the transmit frequency only at the transmit power level — the harmonic returns are much weaker but unambiguous because they can only come from a non-linear junction in the scene, not from the transmitter itself or from linear reflectors in the environment (walls, metal objects).
Sensitivity and range. The harmonic response from a semiconductor junction is weak — typically 40–80 dB below the incident field strength at the junction. The NLJD compensates with high transmit power (typically 1–5 W ERP) and a sensitive, low-noise receive channel. Effective range is typically 0.1–1.0 m for a well-shielded device; penetration through thin walls, drywall, carpet, and furniture wood occurs with degraded but detectable response. (All range claims are spec-sourced from vendor/TSCM training materials; bench-verify against specific targets.)
4.7.2 Second and third harmonic ratio and tap-test discrimination
The 2nd/3rd harmonic ratio is the primary discriminant between a real semiconductor junction and two classes of false-positive sources. Understanding the ratio requires understanding what each source generates:
Real semiconductor junction: The Taylor expansion of the exponential I-V curve contains both even-order terms (→ 2nd harmonic, 4th harmonic) and odd-order terms (→ 3rd harmonic, 5th harmonic). A silicon diode or transistor junction generates both 2nd and 3rd harmonics in predictable proportions governed by the junction ideality factor n and the quiescent point. In practice, well-characterized semiconductor junctions show a 2nd/3rd harmonic ratio in the range of approximately 6–12 dB under typical NLJD excitation conditions (spec-sourced from TSCM training literature; specific ratios are target-dependent).
Oxidized metal junction: A corroded metal-to-metal contact — a rusted bolt, a loose fitting, an oxidized crimp — can also generate harmonics by a different mechanism called passive intermodulation (PIM), also known as the “rusty-bolt effect.” The mechanism: the thin oxide layer between two metal surfaces is a semiconductor-like junction (a metal-insulator-metal or metal-semiconductor-metal contact). Under RF excitation, this junction generates harmonics. However, the harmonic generation from an oxidized metal contact is:
- Mechanically sensitive: physically tapping the object modulates the contact impedance of the oxide layer, causing the harmonic signal to flutter or vanish as the contact geometry changes
- Ratio-biased: generates stronger 2nd harmonic relative to 3rd harmonic than a real semiconductor junction, because the oxide layer I-V characteristic is shallower (less pronounced non-linearity)
The discrimination protocol:
- Ratio check: compare the 2nd to 3rd harmonic amplitude. If the 3rd harmonic is very weak or absent, suspect a metallic oxide junction rather than a semiconductor.
- Tap test: physically tap the object (with a probe or through the material if it is in a wall). A real semiconductor junction is mechanically stable — tapping does not change its harmonic response. An oxidized metal contact’s harmonic signal will modulate, flutter, or drop when tapped, because the mechanical disturbance changes the contact impedance.
- Combined verdict: only a response that shows both (a) appropriate 2nd/3rd harmonic ratio and (b) mechanical stability should be flagged as a probable semiconductor junction.
This two-step protocol does not eliminate false positives but substantially reduces them. In a real room with metal furniture, screws, pipes, and building wire, unqualified harmonic responses are numerous; the ratio + tap test reduces the actionable list to a manageable set for physical inspection.
4.7.3 The rusty-bolt and PIM false-positive
The rusty-bolt effect is the primary false-positive challenge for NLJD operators. In any furnished room, the following sources generate PIM/rusty-bolt responses:
- Metal framing screws, drywall anchors, conduit fittings, pipe brackets
- Corroded electrical contacts (outlet boxes, junction boxes, older wiring)
- Metal furniture with loose or oxidized joints (file cabinets, shelving brackets)
- HVAC ductwork with poorly-fitted joints and oxidized sheetmetal-to-sheetmetal contacts
- Metal window frames, door hinges, curtain rod fittings
- Older building construction with dissimilar metals in contact (galvanic + oxidation)
The density of PIM sources in a typical furnished room is high. An expert NLJD operator in a new sweep environment should expect 20–50 or more harmonic responses before finding a target, almost all of which will be resolved by the tap test and ratio check. The NLJD sweep is inherently a skilled-operator technique; a novice operator will either over-flag (excessive PIM responses) or under-flag (dismissing real responses as PIM without the ratio test).
Warning — NLJD requires a trained operator: The distinction between a semiconductor junction and a PIM source is not binary; it is a judgment call based on the combination of harmonic ratio, tap-test response, and physical context. An untrained operator using an NLJD can arrive at either too many false positives (declaring every metal screw a suspect) or too many false negatives (dismissing a real response as PIM because the tap test was applied incorrectly). This is why professional TSCM certification programs include extensive NLJD training with known-good and known-false targets.
4.7.4 REI ORION 2.4 HX and 900 HX
Research Electronics International (REI) of Cookeville, Tennessee, is the dominant manufacturer of professional-grade NLJDs for the TSCM market. The ORION line is the industry reference instrument.
Table 7 — 7.4 REI ORION 2.4 HX and 900 HX
| Model | TX frequency | Penetration characteristic | Best-case target type | Notes |
|---|---|---|---|---|
| ORION 2.4 HX | 2.4 GHz | Shorter wavelength; better resolution for small, surface-mounted components; less penetration of dense materials | Modern SMT circuitry (CMOS sensors, BGA packages, fine-pitch transistors) | Better choice for detecting modern sub-$100 spy cameras with dense SMT boards |
| ORION 900 HX | 900 MHz | Longer wavelength; penetrates denser materials (concrete, brick, tile, thick wood); lower spatial resolution | Older through-hole or DIP-package circuitry; targets behind dense building materials | Better choice for sweeping walls, floors, ceiling through dense construction materials |
| ORION HX Deluxe | Interchangeable 2.4 GHz + 900 MHz antennas | Best of both | Any target | Single instrument body with two antenna sets; the most capable single instrument |
Price: ~$15,000 USD (spec-sourced from TSCM vendor price ranges; REI does not publish retail pricing on its website; actual pricing requires contact with an authorized REI dealer). Professional TSCM organizations typically own both the 2.4 HX and 900 HX for sweep coverage across both regimes.
Operating frequency note. The ORION 2.4 HX transmits at 2.4 GHz and receives the second harmonic at 4.8 GHz and the third at 7.2 GHz. The receiver must be extremely isolated from the 2.4 GHz transmit signal, especially in an environment saturated with Wi-Fi and Bluetooth (also at 2.4 GHz). REI solves this with a highly directional antenna design and isolation architecture in the instrument. The 900 HX has fewer environmental interference problems because 900 MHz is less congested in most environments (though DECT phones and some ISM-band devices operate there).
[FIGURE SLOT — Vol 4, § 7.4] Photo of a REI ORION NLJD in use — operator holding the telescoping probe wand and scanning a wall panel or piece of furniture. Source: Photo Helper search “REI ORION NLJD non-linear junction detector sweep” — or vendor product page at reiusa.net. Caption when filled: “Figure 4.3 — A REI ORION non-linear junction detector (NLJD) in use during a professional sweep. The operator scans the telescoping probe across surfaces; the instrument alerts on harmonic responses indicating semiconductor junctions. Photo: courtesy of REI (Research Electronics International).“
4.7.5 NLJD as the powered-OFF method
The single most important characteristic of NLJD, worth stating explicitly:
A semiconductor junction is a physical property of the device, not a property of its operating state. A diode junction is a diode junction whether current is flowing through it or not. An NLJD excites the junction with an external RF field and detects the resulting harmonic emission without any cooperation from the target device’s power supply, firmware, or operating system.
This means: a camera that was switched off one minute before the sweep commenced generates the same NLJD response as one that is actively recording. The attacker cannot defeat NLJD by powering down the device. The only way to defeat NLJD is to either (a) use a camera with no semiconductors (physically impossible for any modern camera), (b) shield the device with a Faraday-cage enclosure thick enough to attenuate both the incident field and the harmonic return (uncommon in concealable spy cameras), or (c) hide the device in a location where the NLJD probe cannot be positioned within effective range (behind thick concrete, inside a thick steel safe, etc.).
The practical implication for sweep planning: in any engagement where the adversary is sophisticated enough to power down devices before a sweep, NLJD is not optional — it is the only active electronic method that can still detect the device. Optical retroreflection is also powered-off-capable, but NLJD has better spatial coverage (no line-of-sight requirement — it penetrates through walls and furniture) and does not require a physical lens aperture to be exposed.
4.8 Incidental EMI side-channel
Two research groups have demonstrated that powered cameras inadvertently emit information about their own operation — and about what they see — through incidental electromagnetic radiation from their internal circuitry. Neither method is turnkey; both are proof-of-concept systems requiring SDR hardware and signal-processing expertise. They are documented here because they demonstrate physics that a well-equipped investigator could replicate, and because they represent the frontier of what is possible beyond optical and NLJD methods.
Research not product — both methods in this section: CamRadar (§8.2) and EM Eye (§8.3) are academic proof-of-concept systems. Neither is available as a commercial detection product. Performance figures are from controlled laboratory experiments and may not replicate in the ambient-noise environment of a real sweep. They are labeled explicitly as research at every reference point.
4.8.1 How the camera clock carries scene information
Understanding why a non-transmitting camera leaks information through its EM emanations requires a brief walk through the camera’s internal digital architecture.
CamRadar SIGNAL CHAIN: scene → clock emanation → SDR receiver
Scene in camera's field of view
│
│ (photons)
▼
┌─────────────────┐
│ CMOS image │ The pixel values output by the sensor
│ sensor array │ are digital numbers proportional to
│ (rolling │ scene intensity at each pixel location.
│ shutter │
│ readout) │ A high-contrast, high-motion scene
└────────┬────────┘ generates large pixel values → higher
│ average current drawn by the ISP.
│ pixel data A dark, static scene generates small
▼ pixel values → lower current.
┌─────────────────┐
│ ISP (image │ Current drawn by digital logic is
│ signal │ not constant — it tracks data-dependent
│ processor) │ switching activity at the clock rate.
└────────┬────────┘
│
│ ← shares power supply with:
▼
┌─────────────────────────────────────────────────────────┐
│ CLOCK OSCILLATOR (crystal or PLL, 10–200 MHz typical) │
│ │
│ The oscillator's supply rail is modulated by the │
│ current spikes from the ISP's clocked logic. │
│ │
│ Supply modulation → AM modulation of the oscillator's │
│ EM emission (the clock radiates from PCB traces and │
│ unshielded IC leads). │
└────────┬────────────────────────────────────────────────┘
│
│ EM leakage from clock oscillator
│ (at f_clk and its harmonics)
│ amplitude-modulated by the scene content
▼
┌─────────────────┐
│ SDR receiver │ Detects the modulated clock carrier
│ (RTL-SDR or │ and demodulates the AM envelope —
│ USRP B210) │ which tracks scene changes.
│ │
│ Software │ Correlation of AM envelope with a
│ post-process │ known stimulus (flicker pattern,
│ │ induced motion) confirms camera
└─────────────────┘ presence and approximate location.The key insight from CamRadar: the amplitude modulation of the clock emanation is driven by the scene content because the image sensor’s pixel data modulates the current demand of the image processing chain, which in turn modulates the supply voltage of the clock oscillator through the shared power rail. Brighter or more complex scenes → more ISP switching activity → more supply voltage ripple → more AM depth on the clock emission.
4.8.2 CamRadar: amplitude-modulated emanation detection, IMWUT 2022
Research proof-of-concept — not a shipping product. CamRadar was demonstrated in a controlled academic environment using custom SDR hardware positioned within approximately 1 m of the target. It is not available as a consumer or professional detection tool.
Citation (web-verified): Liu, Lin, Wang, Shen, Ba, Lu, Xu, Ren — “CamRadar: Hidden Camera Detection Leveraging Amplitude-modulated Sensor Images Embedded in Electromagnetic Emanations” — ACM Proceedings on Interactive, Mobile, Wearable and Ubiquitous Technologies (IMWUT), Vol. 6, No. 4, 2022. DOI: 10.1145/3569505.^[Verified against ACM DL entry, dblp record, and ResearchGate entry for DOI 10.1145/3569505. Full author list: Ziwei Liu, Feng Lin, Chao Wang, Yijie Shen, Zhongjie Ba, Li Lu, Wenyao Xu, Kui Ren.]
Performance (web-verified): In real-world experiments with 19 hidden cameras across diverse hiding locations:
- Detection rate: 93.23%
- False positive rate: 3.95%
- Average detection time: 16.75 seconds per sweep location
Methodology. CamRadar works in two steps. First, an SDR scans for candidate EM emanations in the environment — looking for carriers at typical clock frequencies (10–200 MHz and harmonics). Second, it induces a known scene change (a flicker stimulus — a screen, a flashing LED) in front of the suspected location, and tests whether any candidate carrier’s AM envelope correlates with the stimulus pattern. A positive correlation (carrier AM tracks the stimulus) indicates that the carrier is being generated by a camera whose image sensor is responding to the stimulus.
Why the FP rate is low relative to other methods. The correlation test is a fairly strong discriminant: it requires that (a) a carrier exist at the expected frequency, and (b) its amplitude tracks a known pattern. Random EM noise or other electronics in the room do not produce a stimulus-correlated signal. The 3.95% FP rate reflects cases where other electronics (certain laptops, some wireless chargers) happen to produce stimulus-correlated emanations.
Why it is not productized. The technique requires:
- An SDR capable of coherent reception at the camera’s unknown clock frequency (which must be found by scanning)
- A known stimulus source (a flicker pattern in the camera’s field of view — requires operator knowledge of where the camera might be pointing)
- Post-processing software to compute the correlation
- Close proximity to the target (~1 m in the published results)
The ~1 m range, the requirement for a stimulus aligned with the camera’s field of view, and the need for SDR + software expertise are all barriers to productization without further engineering.
4.8.3 EM Eye: video reconstruction from EM leakage, NDSS 2024
Research proof-of-concept — not a shipping product. EM Eye was demonstrated at the NDSS 2024 symposium as a security research result. The system reconstructs video from a camera’s EM leakage — an eavesdropping capability — but can also serve as a detection technique. It is not commercially available.
Citation (web-verified): Long, Jiang, Yan, Alam, Ji, Xu, Fu — “EM Eye: Characterizing Electromagnetic Side-channel Eavesdropping on Embedded Cameras” — NDSS Symposium 2024.^[Verified against NDSS 2024 program listing and YouTube presentation recording “NDSS 2024 - EM Eye: Characterizing Electromagnetic Side-channel Eavesdropping on Embedded Cameras.” GitHub: longyan97/EMEye_Tutorial (open-source code release).]
What EM Eye does. EM Eye reconstructs the video stream that a camera is capturing, from the EM leakage of the camera’s internal image data bus (such as a MIPI CSI-2 interface connecting the image sensor to the ISP). The mechanism is TEMPEST-class: the high-speed digital data lines carrying pixel data between camera components radiate EM energy that contains the pixel values, and an SDR receiver can recover those values and reconstruct frames.
This is a different mechanism from CamRadar: CamRadar detects the AM-modulated clock carrier, while EM Eye recovers the actual image data from the MIPI/CSI bus radiation.
Performance (web-verified and spec-sourced):
- 12 cameras tested (4 smartphones, 6 smart home cameras, 2 dash cams)
- 8 of 12 cameras leaked sufficiently for image reconstruction
- Maximum demonstrated range: ~500 cm (~5 m) for Xiaomi Dafang; ~350 cm (~3.5 m) for Wyze Cam Pan 2 (from GitHub tutorial and rtl-sdr.com coverage of the paper)
- Minimum effective range: not clearly established in available public sources; the spec states ~30 cm as a lower bound, which is plausible for lower-gain configurations but is marked spec-sourced pending independent verification
- Hardware: USRP B210 primary (~$2,000); RTL-SDR also demonstrated via TempestSDR_EMEye (open-source)
As a detection technique. EM Eye was designed as an eavesdropping attack, but its detection implication is direct: if the SDR can reconstruct frames from a camera’s EM leakage, it can certainly detect the camera’s presence (you don’t need to see the reconstructed image to know a camera is present — any coherent signal with the right timing structure is an indicator). However, the same range, proximity, and expertise constraints apply.
Open-source implementation. The team released code at GitHub: longyan97/EMEye_Tutorial, based on a modified version of TempestSDR renamed TempestSDR_EMEye. The code may work with HackRF One and RTL-SDR in addition to the USRP B210, with degraded SNR. This is the closest thing to a reproducible DIY implementation of any of the research methods in this volume.
4.8.4 Hardware and range realities
Table 8 — 8.4 Hardware and range realities
| Hardware | Cost | SNR vs USRP B210 | Notes |
|---|---|---|---|
| USRP B210 | ~$2,000 | Reference (0 dB baseline) | Wide tuning range (70 MHz–6 GHz); 16-bit ADC; used in both CamRadar and EM Eye publications |
| RTL-SDR V3 / V4 | ~$30–$50 | ~20–30 dB worse (8-bit ADC, higher noise floor) | May work at very close range (< 0.5 m) on cameras with strong leakage; spec-sourced |
| HackRF One | ~$340 | ~10–15 dB worse than USRP (8-bit ADC) | Better than RTL-SDR; useful for initial scans; confirmed in EM Eye GitHub |
| Airspy HF+ Discovery | ~$170 | ~5–10 dB worse than USRP (at HF) | Good noise figure at HF; not practical above ~30 MHz for this application |
The range figures in the published papers (~1 m for CamRadar; up to ~5 m for EM Eye with USRP B210) scale with receiver sensitivity. An RTL-SDR at 25 cm may approximate the USRP’s 1 m performance for CamRadar — but this is speculative until bench-verified. The EM Eye GitHub tutorials suggest RTL-SDR is usable but do not quantify the range penalty.
4.8.5 Practical limits and SNR constraints
In a real Airbnb, hotel room, or office, the ambient EM environment is far more complex than the laboratory conditions of either paper. The following factors degrade performance:
- Multipath: reflections from metal furniture, structural steel, and conductive surfaces create an EM clutter field that can mask the weak harmonic or modulated signal from the target camera
- Co-channel interference: other electronics in the room (laptops, chargers, LED drivers, power supplies) emit at similar clock frequencies and can mask the camera’s emission
- Proximity constraint: both methods require the receiver to be within roughly 1 m (CamRadar) or 5 m (EM Eye for strong leakers) of the target; in a furnished room, achieving this proximity without already suspecting the target’s location requires a grid sweep
- Camera-model variation: some cameras use well-shielded PCB designs (metal shields over the ISP, clock crystal, and MIPI bus) that substantially reduce EM leakage; these will not be detectable by either method
- Required expertise: neither method is plug-and-play; both require SDR expertise, knowledge of clock frequencies (which vary by camera model), and post-processing software
Summary: incidental EMI side-channel methods are valuable research results that demonstrate new physics. In a real sweep by a non-expert, they are not yet practical. They are documented here because they represent a maturing technology that may eventually be productized, and because a well-equipped investigator with SDR skills could replicate them in favorable conditions.
4.9 Thermal
Thermal imaging detects powered cameras by the heat dissipated by their electronics. Every powered electronic device generates heat proportional to its power consumption. A CMOS image sensor, its voltage regulator, and any IR LEDs generate enough localized heat to be detectable by a thermal camera against the cooler background of a wall, picture frame, or clock housing — in favorable conditions.
4.9.1 HeatDeCam: thermal classification, CCS 2022
Research proof-of-concept — not a shipping product. HeatDeCam was demonstrated at ACM CCS 2022. The system uses machine learning applied to thermal images, trained on a specific set of cameras in controlled conditions. It is not available as a commercial detection product.
Citation (web-verified): Yu, Li, Chang, Fong, Liu, Zhang — “HeatDeCam: Detecting Hidden Spy Cameras via Thermal Emissions” — ACM SIGSAC Conference on Computer and Communications Security (CCS 2022), Los Angeles, November 2022. DOI: 10.1145/3548606.3560669.^[Verified against ACM DL entry, the project GitHub (WUSTL-CSPL/HeatDeCam), and the project website (heatdecam.github.io). First author: Zhiyuan Yu, Washington University in St. Louis / University of Tennessee, Knoxville.]
Performance (web-verified): HeatDeCam achieved >95% detection accuracy on the authors’ dataset of:
- 22,506 thermal and visual images
- 11 spy camera models
- 6 rooms across varied environmental conditions
- Using a compact neural network deployed on a smartphone (not a cloud model)
What the ML classifier does. The core innovation of HeatDeCam is not the thermal imaging itself (FLIR ONE has been available for years) but the ML classifier trained to recognize the specific heat dissipation pattern of spy camera electronics. A spy camera’s PCB has a distinctive thermal profile: the image sensor chip is the hottest component, the voltage regulator is next, and the IR LEDs form a ring of warm spots. This pattern is geometrically different from ordinary warm objects (a lamp transformer is a uniform warm blob; a smartphone is a large warm rectangle; a spy camera is a small object with a specific hot-spot geometry).
Why it is not productized. The classifier was trained on a specific set of 11 camera models in controlled conditions. A new camera model with a different PCB layout or a better-insulated housing may not be detected by the same classifier without retraining. The dataset is publicly available (GitHub), which means a motivated researcher can retrain on additional cameras, but this requires a thermal camera, the camera models in question, and ML expertise. Additionally, the 22,506-image training set is substantial but covers a narrow sample of the full spy-camera market.
Public dataset. The HeatDeCam dataset is available on GitHub (WUSTL-CSPL/HeatDeCam), making it the only open dataset of thermal images of spy cameras in disguised objects. This is a useful resource for anyone developing or improving thermal-based detection.
4.9.2 The FLIR ONE triage technique
Without the HeatDeCam classifier, a FLIR ONE (or FLIR ONE Pro, or Seek Thermal, or any handheld thermal camera in the $150–$400 range) is still useful for triage — identifying objects that are anomalously warm relative to their surroundings.
[FIGURE SLOT — Vol 4, § 9.2] Thermal image showing a powered spy camera concealed inside a domestic object — ideally a USB charger or clock — with the heat signature visible as a localized warm spot. Source: Photo Helper search “hidden camera thermal image FLIR heat signature” — or creative commons thermal imaging example. Caption when filled: “Figure 4.4 — Thermal image of a powered hidden camera module inside a domestic enclosure. The image sensor and voltage regulator appear as warm spots against the cooler background of the object’s housing. Photo: File:Name.jpg by
. .”
Triage technique:
- Allow the room to reach thermal equilibrium — turn off heating/cooling vents if possible, wait 5–10 minutes for airflow to settle
- Scan all plausible hiding spots systematically (same grid discipline as the lens finder sweep)
- Look for localized warm spots in objects that should not be generating heat: a picture frame that is warm at one corner, a wall screw that is warmer than adjacent screws, a USB charger that appears several degrees warmer than its surroundings
- Note that many legitimate objects are warm — lamp transformers, power strips, charging electronics, laptops — the target is an anomalous warm spot in something that should be cool
- Flag every suspicious warm spot for physical inspection
Temperature signature guidance (spec-sourced, bench-verify):
- CMOS image sensor operating current: typically 50–200 mA at 3.3 V → 0.15–0.66 W → surface temperature rise above ambient of roughly 2–15 °C depending on heatsinking and enclosure
- Voltage regulator (LDO type): may dissipate as much as the sensor; often the hottest component on the board
- IR LEDs (850 nm array): can dissipate 0.5–2 W total; very distinct in thermal image as a ring of warm spots
The FLIR ONE Pro (640×480 pixel detector, $400) offers substantially better spatial resolution than the standard FLIR ONE (160×120 pixel) and can distinguish the hot-spot geometry of a camera module from the diffuse warmth of a transformer more reliably.
4.9.3 Defeat mechanisms
Thermal detection is defeatable by several practical techniques, and understanding these is important for honest assessment of the method’s ceiling:
Table 9 — Thermal detection is defeatable by several practical techniques, and understanding these is important for honest assessment of the method's ceiling
| Defeat mechanism | Physical basis | How common |
|---|---|---|
| Thermal insulation | Foam, silicone, air gap around camera module reduces surface temperature rise | Uncommon in cheap spy cameras; possible in higher-end installations |
| Ambient heat masking | Camera is placed near a genuinely warm object (lamp transformer, power strip, AC adapter); warm object masks the camera’s signature | Easy for attacker to exploit; room-condition-dependent |
| Low-power sensor design | Some SD-only cameras use very low-power image sensors (< 50 mW total) that approach the noise floor of a FLIR ONE | More common in modern ultra-small designs |
| Camera powered off | No heat if fully powered off | Trivially defeatable by the attacker |
| Camera warmed up vs just-turned-on | A freshly activated camera has not yet reached steady-state temperature; brief recording window then off | Time-coordination required but possible for sophisticated attacker |
| False positives | Laptop chargers, power strips, room thermostats, AC units, lamp ballasts, and any powered electronic in the room generates heat | High FP density in any occupied room |
Warning — thermal is fast but not definitive: Thermal imaging is an excellent first-pass triage tool because it quickly covers a large area and flags powered electronics. But it cannot replace optical retroreflection or NLJD as the primary detection methods for non-emitting cameras. A powered-off camera, a well-insulated camera, or a very low-power camera may generate no detectable thermal signature. Use thermal as a first-pass triage step that narrows the search space; do not use it as the sole method.
4.10 Acoustic, magnetometer, and X-ray
These three methods are corroborators and specialist tools, not primary sweep methods. They are documented here for completeness and to fill specific detection gaps.
4.10.1 Acoustic: IR-cut filter click and coil whine
Some camera models — particularly those with automatic IR-cut filter switching — produce audible sound when the filter toggles between its “day” and “night” positions in response to a light-level threshold crossing. The IR-cut filter is an electromechanical assembly: a small motor or solenoid shifts a piece of IR-absorbing glass or a dichroic filter in and out of the optical path. The mechanism produces a distinct click or snap sound at the moment of transition.
Using the acoustic cue:
- Turn off all noise sources (HVAC, fans, electronics)
- Rapidly vary the room light level (turn lights on and off, use a phone flashlight)
- Listen for a faint click from any object in the room — especially objects near plausible hiding spots
- Range at which the click is audible: typically 0.5–2 m in a quiet room; varies by camera design
Coil whine from the camera’s power regulator or motor driver is a second acoustic cue. A switching regulator at 100 kHz–1 MHz may emit audible harmonics (if the clock is within the audio band due to noise or aliasing), and some motor-driven camera mounts emit a high-pitched whine under load. These are rarer and less distinct than the IR-cut click.
Limitations. The acoustic technique is a corroboration aid, not a sweep method. It requires the camera to (a) have an electromechanical IR-cut filter, (b) be powered, and (c) be in an appropriate light-level transition during the sweep. Cameras without mechanical IR-cut filters — SD-only cameras that use a fixed-IR or electronic-sensitivity adjustment — produce no acoustic signature at all. The technique is most useful as a secondary confirmation when another method has already flagged a suspect location.
4.10.2 AC and DC magnetometer
AC magnetometer. Any powered electronic device contains oscillators, switching regulators, or motor windings that generate alternating magnetic fields at their operating frequencies. An AC magnetometer sensitive in the range of 10 kHz to 1 MHz can detect these fields at close range (typically < 5 cm for a small camera module). The Lockhart class of instruments used in professional TSCM sweeps includes a sensitive magnetic-field probe for exactly this purpose — detecting the AC field from a hidden device’s oscillator even when no RF emission is present at the antenna.
The limitation is that virtually every electronic device in a room generates AC magnetic fields: chargers, power supplies, laptop transformers, LED drivers, and anything with a switching regulator. The magnetometer sweep produces many flagged locations; physical inspection is required for every one.
DC magnetometer. A DC magnetometer — including the compass sensor in any smartphone — detects the static magnetic field from ferrous components (iron, steel, certain ferrite materials) and permanent magnets inside a camera module. Most camera modules contain at least one ferrous component: the lens barrel is often steel, the motor (in autofocus modules) contains a permanent magnet, and the PCB substrate may have ferrous ground-fill areas.
The effective range of the phone compass for detecting a camera module is very short — typically 1–5 cm. The technique is most useful when other methods have identified an approximate hiding location and the operator is confirming a specific object: holding a phone near a screw, wall outlet, or other suspected object and watching for compass deflection.
Both magnetometer techniques are corroborators — useful for adding confidence to a flag from another method, not as primary detection methods.
4.10.3 X-ray and backscatter
X-ray and backscatter imaging is the definitive volumetric detection method. It penetrates through opaque materials and reveals the internal geometry of objects, making camera modules visible inside walls, furniture, luggage, and sealed enclosures regardless of operating state.
Viken Detection (Aerojet Rocketdyne) makes the reference backscatter imager for personnel and small-object searches. Larger transmission X-ray systems are used for luggage and wall panels. Both types can reveal:
- A camera module’s distinctive geometry (cylindrical lens barrel + rectangular PCB + rectangular sensor die)
- Wiring from the camera to a recording device or power source
- Battery compartments typical of self-contained spy cameras
Practical constraints:
Table 10 — Practical constraints:
| Constraint | Detail |
|---|---|
| Cost | $20,000–$100,000+ (spec-sourced) for portable backscatter systems |
| Radiation safety | Backscatter systems emit ionizing radiation; operator training, dosimetry, and in many jurisdictions a license or regulatory approval is required |
| Portability | Most systems are large (rolling cart, van-mounted) rather than handheld; handheld backscatter imagers exist but at the high end of the price range |
| Scene coverage | X-ray imaging requires positioning the source and detector on either side of (transmission) or in front of (backscatter) the target; not practical for scanning an entire room quickly |
| Jurisdiction | Regulations on possession and use of X-ray equipment vary by country and state; professional licensure is required in most jurisdictions |
Practical application. X-ray is used in professional TSCM sweeps when (a) a specific object has been flagged by other methods and (b) the physical inspection would be destructive (requiring dismantling a wall section, sealed furniture, or structural element). Before cutting a wall open, an X-ray confirmation that a camera module is present is valuable. It is not a first-pass sweep tool.
4.11 Borescope, physical search
Physical search is the conclusion of every sweep. It is not a triage method. Its role in the sweep workflow is to convert an anomaly flag from any other method — a lens glint, a thermal spot, an NLJD harmonic response, an IR LED glow — into either a confirmed camera or a confirmed false positive by direct physical examination of the flagged object.
A borescope (also called an inspection camera, endoscope, or snake camera) is the primary physical search instrument for locations that cannot be directly inspected: inside smoke detector housings, behind wall plates, inside vent openings, under furniture, or in other confined spaces. A basic inspection borescope with a 7 mm or 9 mm probe diameter and a camera at the tip provides visual access to confined spaces without requiring destructive disassembly.
Cost range and capability:
Table 11 — Cost range and capability:
| Tool | Cost range | Probe diameter | Notes |
|---|---|---|---|
| Basic borescope (USB, phone attachment) | $20–$80 | 5.5–9 mm | Adequate for smoke detectors, wall plates, vent openings |
| Mid-range articulating borescope | $200–$800 | 5.5–8 mm | Steerable probe tip; better for routing around bends |
| Professional video borescope | $1,000–$3,000+ | 4–6 mm | HD video; articulating tip; bright LED illumination |
Physical inspection discipline:
Every flagged anomaly from every other method in this volume gets physically inspected. “Inspection” means one of:
- Direct visual examination at close range with illumination (phone flashlight, probe light): for objects accessible without tools
- Borescope examination: for enclosed spaces or housings where direct access requires disassembly
- Disassembly (when appropriate and with appropriate authority): opening a smoke detector housing, unscrewing a wall outlet cover, or removing a clock back panel
- Documentary confirmation: photographing any found device before touching it (evidence preservation)
The fundamental discipline is: no flag from any other method is resolved by declaring it “probably a false positive” without physically examining the flagged object. The high false-positive rate of every method in this volume makes this tempting — after the tenth metallic screw returns an NLJD response, there is a strong psychological pull to stop checking. This pull is exactly what an attacker relies on when placing a device in a location likely to generate legitimate false positives nearby (a camera hidden behind a power strip, next to a transformer, adjacent to a metal bracket).
The professional standard: in a professional TSCM engagement, every flagged anomaly is logged, physically inspected, and either confirmed as benign (with the confirming observation recorded) or confirmed as a device (with documentation and chain-of-custody). The sweep is complete only when every flag has been physically resolved. This standard is achievable in a hotel room or Airbnb by a single sweeper with a lens finder + borescope + thermal camera in 30–60 minutes; it requires 2–4 hours for a complete office suite at NLJD-sweep thoroughness.
The room-sweep playbook that integrates all of the methods in this volume into a systematic procedure — with the correct ordering, stop/go criteria, and Airbnb field-version condensation — is in Vol 12 §2 and §4.
4.12 Resources
4.12.1 Academic papers (web-verified citations)
-
LAPD — Sami S, Tan SRX, Sun B, Han J. “LAPD: Hidden Spy Camera Detection using Smartphone Time-of-Flight Sensors.” ACM SenSys 2021. DOI: 10.1145/3485730.3485941. Detection: 88.9%; FP: 16.7%. Platform: Samsung Galaxy S20+/S20 Ultra/Note 10+ (Sony IMX516 iToF). Proof-of-concept, not productized.
-
CamRadar — Liu Z, Lin F, Wang C, Shen Y, Ba Z, Lu L, Xu W, Ren K. “CamRadar: Hidden Camera Detection Leveraging Amplitude-modulated Sensor Images Embedded in Electromagnetic Emanations.” ACM IMWUT 6(4), 2022. DOI: 10.1145/3569505. Detection: 93.23%; FP: 3.95%; average detection time: 16.75 s on 19 cameras. Proof-of-concept, requires SDR within ~1 m.
-
EM Eye — Long Y et al. “EM Eye: Characterizing Electromagnetic Side-channel Eavesdropping on Embedded Cameras.” NDSS Symposium 2024. Open-source code: GitHub longyan97/EMEye_Tutorial. 12 cameras tested; 8 of 12 leaked sufficiently for video reconstruction. Max demonstrated range: ~5 m (Xiaomi Dafang), ~3.5 m (Wyze Cam Pan 2). Hardware: USRP B210; RTL-SDR/HackRF also demonstrated. Proof-of-concept, eavesdropping research.
-
HeatDeCam — Yu Z, Li T, Chang B, Fong T, Liu Y, Zhang N. “HeatDeCam: Detecting Hidden Spy Cameras via Thermal Emissions.” ACM CCS 2022. DOI: 10.1145/3548606.3560669. Accuracy: >95% on authors’ dataset of 22,506 images, 11 cameras, 6 rooms. Hardware: FLIR ONE + smartphone ML classifier. Public dataset: GitHub WUSTL-CSPL/HeatDeCam. Proof-of-concept, requires per-camera-model training.
4.12.2 Patents (cited in §5.4)
- US 8,228,591 — handheld optics detection system, coaxial near-IR and visible laser retroreflection (web-verified: handheld optics detection system for finding optical devices)
- US 7,858,920 — optical detection method (spec-sourced from design spec; verify independently before external citation)
- US 9,939,233 — related detection apparatus (spec-sourced)
- US 5,793,034 — earlier optical detection approach (spec-sourced)
4.12.3 Commercial products
- SpyFinder Pro (SF-103P) — consumer lens retroreflection finder, ~$148 (web-verified). The reference consumer product for the optical method. Suitable for traveler sweeps.
- REI ORION 2.4 HX — professional NLJD, ~$15,000 USD (spec-sourced; contact REI directly for current pricing at reiusa.net). Industry reference for semiconductor-junction detection.
- REI ORION 900 HX — professional NLJD at 900 MHz, same price tier. Better penetration of dense building materials.
- FLIR ONE / FLIR ONE Pro — thermal camera smartphone attachment, $150–$400. The reference hardware for the HeatDeCam approach and for manual thermal triage.
- Viken Detection — backscatter X-ray imager for personnel and object search (spec-sourced; professional TSCM and law enforcement market).
4.12.4 Software and open-source
- HeatDeCam (WUSTL-CSPL/HeatDeCam on GitHub) — open dataset + ML classifier for thermal spy camera detection
- TempestSDR_EMEye (longyan97/EMEye_Tutorial on GitHub) — modified TempestSDR implementing EM Eye camera EM leakage recovery; compatible with USRP B210, HackRF, RTL-SDR
- TempestSDR (martinmarinov/TempestSDR on GitHub) — the upstream project that EM Eye extends; general-purpose screen EM emanation recovery tool
- LAPD source code — cited in the SenSys 2021 paper; availability varies by author policy — check the paper’s supplementary materials or the affiliated lab pages
4.12.5 Hub gear and cross-references
Detection methods in this volume that use SDR hardware (§8 — EMI side-channel) are most capable with the HackRF One deep dive and RTL-SDR deep dive coverage of the spectrum-scanning workflow. See Vol 9 for the commercial detector survey that expands on the NLJD, lens finder, and thermal tools documented here. The room-sweep playbook integrating all of these methods into a practical procedure is in Vol 12.
The non-emitting camera detection problem is where the Vol 4 power-state matrix is most often consulted. Vol 15 (cheatsheet) reproduces a condensed version of this matrix for field reference.
This is Volume 4 of a fifteen-volume series. Next: Vol 5 walks the Wi-Fi/IP camera deep dive — how IP cameras announce and behave on a network, vendor OUI maps, on-network vs off-network scenarios, and the RSSI-walk technique for physically locating a camera once it has been detected.