How to Find Hidden Cameras on Your Wi-Fi Network

In an era of affordable, ultra-compact IoT smart devices, personal privacy concerns are at an all-time high. Whether you are staying in a short-term rental, booking a hotel room, or leasing a new office, understanding how to verify your physical surroundings is a critical skill. Fortunately, because almost all modern hidden cameras rely on Wi-Fi connectivity to stream video to their owners, they leave a distinct digital footprint on the local network.

This technical guide will walk you through auditing a local network to discover unauthorized video recording hardware using standard, client-side tools and advanced LAN scanning techniques.

Step 1: Perform a Subnet Sweep (IP Discovery)

To communicate or stream live footage, a wireless camera must join the local Wi-Fi subnet and receive an IP address. The first step is to perform a full Address Resolution Protocol (ARP) or ICMP ping sweep across your active subnet range (typically 192.168.1.0/24 or 192.168.0.0/24).

Using a network analysis toolkit like LAN Lens, you can scan all 254 potential hosts in under two seconds. This creates a baseline inventory of every active device currently operating in your space.

Step 2: Inspect Hardware OUI Vendor Mappings

Every network interface has a unique 12-character identifier known as a **MAC Address**. The first six characters represent the Organizationally Unique Identifier (OUI), which identifies the physical hardware manufacturer.

By extracting the MAC addresses of your discovered devices and looking them up against the IEEE registry database, you can immediately identify the brand. Look specifically for companies that specialize in security, surveillance, or generic IoT modules, such as:

Surveillance Vendors	Common OUI Prefixes	Typical Device Profiles
Hikvision	00:40:8C, 28:57:BE, A0:47:37	Professional IP cameras, NVRs
Tuya / Smart Life	18:69:D7, 50:8A:06, D8:17:F7	OEM modules inside generic plug-in cameras
Wyze Labs	2C:C6:60, A4:DA:3F	Budget wireless indoor/outdoor cameras
Dahua Technology	00:1A:07, 3C:EF:8C, 90:02:A9	Surveillance systems, security intercoms

If you see an unfamiliar device manufactured by a surveillance company, or a generic IoT provider like Tuya or Espressif (which powers cheap, pinhole spy cameras sold online), it warrants a closer physical inspection.

Step 3: Conduct a Local Port Audit

Once you identify suspicious IP addresses, the next step is auditing their open listening ports. Network cameras operate specific network services to stream video, broadcast capabilities, or host local administration pages.

Execute a port scan targeting the following highly relevant surveillance ports:

• Port 554 (RTSP): The Real-Time Streaming Protocol. This is the industry-standard port for streaming live H.264/H.265 video feeds. An open Port 554 is a strong indicator of a camera or recording server.
• Port 80 / 443 / 8080 (HTTP/HTTPS): Web interfaces. Many cameras host a web configuration dashboard. Visiting the IP in your browser (e.g., http://192.168.1.45) may reveal a live video viewport or login console.
• Port 8899 / 8099 (ONVIF): Open Network Video Interface Forum protocol. Used by security cameras to broadcast hardware profiles and capabilities to local recording software.
• Port 1935 (RTMP): Real-Time Messaging Protocol. Used by some smart devices to cast streams to remote servers.

Step 4: Check for UPnP and mDNS Advertisements

Many smart cameras are configured out-of-the-box to make setup easy for consumers. They broadcast their presence using standard discovery protocols like **UPnP (Universal Plug and Play)** and **mDNS (Bonjour)**.

Inspect Bonjour and SSDP logs on your network. A camera will often advertise service protocols like _axis-video._tcp, _rtsp._tcp, or display descriptive hostnames (such as wyze-cam.local or hik-surveillance.local).

What to Do If You Find a Camera

1. Document the Discovery: Take screenshots of your scan results, including the IP address, MAC OUI vendor, open ports, and advertised hostnames.
2. Locate the Device: Check where the suspicious IP address points. If it is a plug-in clock, charger, or smoke detector, examine it closely for tiny lens openings.
3. Disconnect Safely: If the device is local and physical, unplugging it or placing a piece of opaque tape over the lens block will immediately neutralize the stream.