How to Detect Hidden Cameras on Your WiFi Network (Mac Guide)

Checking into an Airbnb, a hotel room, or a short-term rental and wondering whether someone is watching you is no longer paranoia — it is a rational concern backed by hard data. A 2024 survey by IPX1031 found that one in four Airbnb guests have discovered a hidden camera in their rental. A separate study by Superhost Tools documented over 11,000 reported incidents of undisclosed surveillance devices in short-term rentals between 2021 and 2025. These are not isolated anecdotes. Hidden cameras are a widespread, documented problem, and the rise of inexpensive WiFi-connected cameras has made covert surveillance cheaper and easier than ever. The good news is that most of these cameras connect to the local WiFi network to stream or store footage — and that means they are detectable. If you have a Mac, you have everything you need to find them.

This guide covers three methods to detect hidden cameras on your WiFi network using a Mac: manual Terminal commands for technically inclined users, dedicated network scanning software for fast and thorough results, and physical detection techniques that complement the digital approach. By the end, you will know exactly how WiFi cameras reveal themselves on a network, how to identify their manufacturer and streaming ports, and what steps to take if you find one.

The Hidden Camera Threat

The hidden camera problem is not limited to any single type of property or location. Reports come from Airbnbs, hotels, vacation rentals, corporate offices, co-working spaces, gym changing rooms, public restrooms, and even private apartments where a landlord installed cameras without the tenant's knowledge. The motivations range from voyeurism to theft of intellectual property to monitoring employees or tenants illegally. The commonality is that the cameras are placed without the knowledge or consent of the people being recorded.

How common are hidden cameras?

The numbers are sobering. According to a 2023 investigation by Consumer Reports, approximately 11% of vacation rental guests worldwide have encountered a surveillance device they were not informed about. Airbnb's own internal data, leaked in a 2024 press investigation, showed the company processes thousands of camera-related complaints annually. In South Korea, the "molka" (hidden camera) crisis led to police conducting over 8,000 inspections of public spaces per year, finding cameras in roughly 5-8% of inspected locations. In the United States and Europe, law enforcement agencies report a steady year-over-year increase in hidden camera complaints, correlating directly with the declining cost of WiFi-connected cameras.

The economics explain the trend. A basic WiFi hidden camera — disguised as a smoke detector, alarm clock, USB charger, picture frame, or wall screw — costs between $15 and $50 on mainstream e-commerce platforms. They require no professional installation. Many are battery-powered or plug into a standard outlet. Setup takes minutes: connect to WiFi, install the companion app, and the camera streams live video to the operator's phone from anywhere in the world. Some models include motion detection, night vision, and cloud recording for an additional monthly fee. The barrier to covert surveillance has never been lower.

Types of hidden cameras

Understanding the two broad categories of hidden cameras determines which detection method works best:

WiFi-connected cameras are the most common type in 2026. They connect to the local wireless network — either the property's existing WiFi or a separate mobile hotspot — and stream video over the internet using protocols like RTSP (Real-Time Streaming Protocol) or HTTP. Because they must be on a network to function, they are discoverable through network scanning. They have IP addresses, MAC addresses that identify their manufacturer, and open ports that reveal their streaming services. These are the cameras this guide focuses on detecting.

Standalone cameras do not connect to WiFi. They record to an internal SD card or use a cellular SIM card for connectivity. SD-card-only cameras must be physically retrieved to access the footage, which limits their utility but makes them invisible to network scanning. SIM-based cameras use cellular data instead of WiFi, making them invisible to local network detection. For these types, physical detection methods (RF scanning, lens detection, infrared) are your only option.

The critical insight is that the majority of hidden cameras are WiFi-connected. The convenience of remote viewing — watching the stream from a phone anywhere in the world — is the primary reason people install these cameras in the first place. And that connectivity is their fundamental weakness: if a camera is on your WiFi, your Mac can find it.

How WiFi Cameras Work on a Network

To detect a hidden camera on a network, it helps to understand exactly what these devices look like from a networking perspective. A WiFi camera is, fundamentally, a small embedded Linux computer with a lens. It connects to the WiFi access point like any other device, receives an IP address via DHCP, and runs network services that allow it to stream video and accept configuration commands.

Network identity: MAC addresses and vendor prefixes

Every network device has a unique MAC (Media Access Control) address — a 48-bit identifier burned into the hardware. The first three octets of this address are the OUI (Organizationally Unique Identifier), assigned by the IEEE to each manufacturer. This means that every camera on your network reveals its manufacturer through its MAC address, regardless of what hostname it broadcasts or whether it tries to disguise itself.

The major camera manufacturers have well-known OUI prefixes. When you see a device with a MAC address starting with 44:47:CC or C0:56:E3, you know it is made by Hikvision — the world's largest manufacturer of surveillance cameras. A prefix of 3C:EF:8C or A0:BD:1D identifies Dahua, the second largest. Other common prefixes map to Amcrest, Reolink, Wyze, Tapo (TP-Link), Ring (Amazon), Arlo (Netgear), and dozens of smaller manufacturers. Network scanners that maintain an up-to-date OUI database can instantly flag these devices.

Open ports and streaming protocols

WiFi cameras expose specific network ports to serve video and accept management connections. These port patterns are highly distinctive:

• Port 554 (RTSP) — The primary protocol for streaming video from IP cameras. Nearly every WiFi camera runs an RTSP server on port 554. Finding RTSP on a device that should not be streaming video is the strongest single indicator of a camera.
• Port 80 and 443 (HTTP/HTTPS) — Most cameras have a web interface for configuration and live viewing through a browser. While these ports are common on many devices, their presence on a device from a camera manufacturer narrows the identification considerably.
• Port 8080 (HTTP Alternate) — Many cameras use port 8080 for their web interface instead of or in addition to port 80, especially when port 80 is already in use or blocked.
• Port 8554 (RTSP Alternate) — An alternative RTSP port used by some camera manufacturers to avoid conflicts with the default 554.
• Port 8443 (HTTPS Alternate) — Used by cameras that run their secure web interface on a non-standard port.
• Port 6668 or 8000-8200 range — Proprietary control ports used by Hikvision, Dahua, and their OEM variants for communication with their companion apps and NVR (Network Video Recorder) systems.
• Port 34567 — Default port used by many Chinese-manufactured cameras running the XMEye/CMS protocol, a very common firmware in cheap hidden cameras.
• Port 9000 — Used by some Wyze and Xiaomi cameras for their cloud relay service.

A device that has port 554 open, is from a known camera manufacturer, and is running embedded Linux is almost certainly a camera. No other common consumer device matches that combination.

Operating system and firmware

WiFi cameras overwhelmingly run stripped-down Linux distributions on ARM or MIPS processors. OS fingerprinting reveals them as "Embedded Linux" or sometimes a more specific firmware variant. This is another differentiator: your smart speaker, your laptop, and your phone all run identifiable consumer operating systems. A device running embedded Linux with RTSP ports open and a camera-vendor MAC address is exactly what it looks like.

Method 1: Manual Detection with Terminal

If you are comfortable with the command line, you can use built-in macOS tools and optionally nmap to scan the local network for devices that look like cameras. This method is free but requires technical knowledge and patience.

Step 1: List all devices with ARP

Open Terminal (Applications > Utilities > Terminal) and run:

arp -a

This displays the ARP (Address Resolution Protocol) table — a list of all devices your Mac has recently communicated with on the local network. The output looks like this:

? (192.168.1.1) at aa:bb:cc:11:22:33 on en0 ifscope [ethernet]
? (192.168.1.15) at 44:47:cc:de:fa:01 on en0 ifscope [ethernet]
? (192.168.1.22) at 3c:ef:8c:ab:cd:02 on en0 ifscope [ethernet]
? (192.168.1.30) at a4:34:d9:11:22:33 on en0 ifscope [ethernet]
? (192.168.1.45) at dc:a6:32:44:55:66 on en0 ifscope [ethernet]

Each line shows an IP address and its corresponding MAC address. The first three octets of the MAC (e.g., 44:47:cc) identify the manufacturer. To look up a MAC prefix, visit a site like maclookup.app or macvendors.com and paste in the first three octets. If the result comes back as "Hangzhou Hikvision" or "Zhejiang Dahua," you have found a surveillance camera on the network.

Limitation: The ARP table only contains devices your Mac has recently interacted with. It does not proactively discover every device on the subnet. You might miss cameras that have been idle.

Step 2: Ping sweep to populate ARP

To force all devices on the subnet to respond, you can run a ping sweep. Determine your subnet first:

ifconfig en0 | grep "inet "
# Output: inet 192.168.1.100 netmask 0xffffff00 broadcast 192.168.1.255

Then ping the broadcast address to solicit ARP responses from all hosts:

ping -c 3 192.168.1.255

After the broadcast ping, run arp -a again. The list should be significantly longer, now including devices that were previously silent.

Step 3: Scan for camera ports with nmap

If you have Homebrew installed, you can install nmap:

brew install nmap

Then scan the entire subnet for the ports most commonly associated with cameras:

nmap -p 554,8554,80,8080,443,8443,34567,9000 192.168.1.0/24

This scans all 254 addresses for camera-associated ports. The output will show which devices have these ports open. Cross-reference the IP addresses with your ARP table to get the MAC addresses, then look up the vendors.

For more aggressive service detection, add the -sV flag:

nmap -sV -p 554,8554,80,8080 192.168.1.0/24

This attempts to identify the exact service and version running on each open port. You might see output like "RTSP (RealNetworks)" or "Hikvision IP Camera httpd" — which makes identification unambiguous.

Limitations of the manual approach

The Terminal method works but has significant drawbacks. You need to know which commands to run, how to interpret the output, and which MAC prefixes correspond to camera manufacturers. The process is slow — manually looking up vendors one by one across 20+ devices takes time. You might miss cameras that use randomized or spoofed MAC addresses. And there is no ongoing monitoring: you get a snapshot, not a security system. For a faster, more comprehensive approach, a dedicated IP scanner for Mac automates the entire process.

Method 2: Network Scanning with Paranoid

Paranoid is a native macOS network scanner that automates everything described in Method 1 and adds layers of intelligence that Terminal commands cannot replicate. If your goal is to detect hidden cameras on your WiFi network quickly and with confidence, this is the most effective approach.

One-click full network discovery

Launch Paranoid, select your WiFi interface, and click Start Scan (or press Cmd+Enter). Within 30 seconds, every device on the network appears in the results — with IP address, hostname, MAC address, vendor name, device type classification, open ports, service versions, and OS fingerprint. There is no need to run multiple Terminal commands, manually look up MAC vendors, or cross-reference port lists. Everything is resolved and presented in a single unified view.

Paranoid's multi-phase discovery process ensures no device is missed. The ARP prepopulation phase sends probes to every address on the subnet, catching devices that have no open TCP ports. The TCP scan phase checks common service ports. The service detection phase identifies exactly what software is running on each open port. The result is a comprehensive inventory that is significantly more complete than what arp -a and manual nmap scanning produce, especially for stealthy IoT devices.

Vendor identification flags camera manufacturers

Paranoid maintains a full IEEE OUI database and resolves every MAC address to its manufacturer name automatically. Devices from Hikvision, Dahua, Amcrest, Reolink, TP-Link (Tapo cameras), Wyze Labs, Ring (Amazon Technologies), Arlo (Netgear), Xiaomi, Eufy (Anker), and dozens of other camera manufacturers are immediately visible in the vendor column. You do not need to memorize OUI prefixes or visit lookup websites — the identification is instant.

Port scanning detects streaming services

The port scan results show whether each device has RTSP (port 554), HTTP (port 80/8080), or other camera-associated ports open. Combined with vendor identification, this creates a strong signal: a device from Hikvision with port 554 and port 80 open is a surveillance camera. A device from an unknown vendor with port 554 open and embedded Linux as its OS deserves serious investigation.

Dedicated camera detection

Paranoid includes a dedicated camera detection feature that goes beyond simple vendor and port matching. It uses a multi-signal approach combining vendor fingerprinting (matching against an extensive database of camera OUI prefixes), port and service pattern analysis (detecting RTSP, ONVIF, and proprietary camera protocols), OS fingerprinting (identifying embedded Linux firmware common to cameras), and hostname pattern matching (many cameras broadcast identifiable hostnames like "IPC-" or "DCS-" prefixes). When all signals converge, Paranoid classifies the device as a camera with high confidence and flags it visually in the device list.

This multi-signal approach catches cameras that individual methods would miss. A camera with a spoofed hostname is still caught by its MAC vendor. A camera from an obscure manufacturer is still caught by its RTSP port. A camera that disguises its ports is still caught by its embedded Linux fingerprint and vendor identity. The convergence of signals makes evasion significantly harder.

Practical workflow for checking a rental

When you arrive at an Airbnb, hotel, or rental property, here is the workflow:

1. Connect to the WiFi. Use the credentials provided by the host.
2. Open Paranoid and run a scan. Takes about 30 seconds.
3. Review the device list. Sort by vendor or device type. Look for camera manufacturers, RTSP ports (554), and devices classified as cameras.
4. Investigate any suspicious devices. Click on them to see full details: MAC address, all open ports, service versions, OS fingerprint.
5. Cross-reference with visible devices. If the host disclosed security cameras (e.g., a doorbell camera at the front entrance), verify that the camera you found matches that location and that there are no additional undisclosed cameras.

This process takes under two minutes and gives you a definitive answer about whether any cameras are connected to the WiFi network you are using.

Method 3: Physical Detection Methods

Network scanning finds cameras that are connected to WiFi. Physical detection finds cameras regardless of their connectivity — including offline cameras that record to SD cards and cellular-connected cameras that bypass WiFi entirely. The most thorough approach combines network scanning with physical inspection.

Visual inspection

Start with a methodical visual sweep of the space. Hidden cameras are most commonly placed in these locations:

• Smoke detectors and carbon monoxide detectors. The most popular hiding spot. Look for a small lens (often just 1-2mm in diameter) on the face of the detector. Legitimate smoke detectors do not have tiny glass circles or pin-sized holes on their surface. If you can safely remove it, check whether it has electronics beyond what a normal detector would contain.
• Alarm clocks and digital clocks. Cameras disguised as bedside clocks are available for under $30. Look for a small lens on the clock face, usually near the display. Pick up the clock and examine it closely. A camera clock will often feel heavier than expected and may have a micro-USB or USB-C charging port even if it is battery-operated.
• USB chargers and power adapters. Camera-equipped USB wall chargers look identical to standard chargers. They plug into an outlet and appear to charge devices normally. Look for a tiny lens on the front face. These cameras are particularly insidious because they are powered continuously and look completely innocuous.
• Picture frames and mirrors. Check picture frames for unusual thickness or a small lens built into the frame. For mirrors, use the "fingernail test": press your fingertip against the mirror surface. In a normal mirror, there is a gap between your fingertip and its reflection. In a two-way mirror (which can hide a camera behind it), your fingertip appears to touch its reflection directly.
• Air purifiers, tissue boxes, and decorative objects. Any object that faces a bed, shower, or changing area and has an uninterrupted line of sight deserves close inspection. Look for small holes that could conceal a lens.
• Screws and wall fixtures. Yes, cameras can be built into what appears to be a standard Phillips-head screw. These are small, difficult to spot, and nearly impossible to detect without close physical inspection or an RF detector. Look for screws that seem out of place or are positioned with a clear sightline to sensitive areas.

Infrared detection with your phone camera

Many hidden cameras include infrared LEDs for night vision. These LEDs emit light at a wavelength invisible to the human eye but detectable by digital camera sensors. Here is how to use this to your advantage:

1. Close all curtains and turn off all lights in the room to make it completely dark.
2. Open your phone's camera app. Use the front-facing camera on iPhones (the rear camera has an IR filter that blocks infrared; the front camera's filter is less aggressive).
3. Slowly scan the room through the camera screen. Infrared LEDs will appear as faint purple or white glowing dots on your screen even though you see nothing with your naked eyes.
4. Pay special attention to the locations listed above: smoke detectors, clocks, chargers, and any objects facing sleeping or private areas.

This technique is effective because most night-vision cameras activate their IR LEDs automatically when ambient light drops below a threshold. In a completely dark room, any camera with night vision will light up its IR array, making it detectable.

RF (Radio Frequency) detectors

Dedicated RF detector devices scan for radio frequency emissions from wireless cameras. When a WiFi camera transmits video, it emits RF energy on the 2.4GHz or 5GHz band. An RF detector sweeps through these frequencies and alerts you when it finds a transmitting device. Professional-grade RF detectors cost $100-$300 and can detect cameras through walls and inside objects. Consumer-grade models are available for $30-$50 but have more limited range and sensitivity.

The main limitation of RF detectors is that they detect all wireless transmissions, not just cameras. Your phone, laptop, smart watch, and every other WiFi device in the room will trigger the detector. The skill is in interpreting the results: a strong signal from a smoke detector is suspicious, while a strong signal from the nightstand where your phone is charging is expected.

Lens reflection detection

Camera lenses reflect light in a distinctive way due to their curved glass optics. Professional lens detectors use a ring of bright LEDs surrounding a viewing port. When you look through the port while the LEDs are active, any camera lens in your field of view reflects the LED light back as a bright, unmistakable pinpoint of light — even if the camera is tiny and well-hidden. These devices cost $20-$50 and are highly effective at short range (within a few meters).

A budget alternative: use your phone's flashlight. Slowly sweep the flashlight beam across suspicious objects and surfaces while watching for the distinctive glint of a glass lens. This is less effective than a dedicated lens detector but costs nothing and can still catch poorly concealed cameras.

Common Camera Signatures on a Network

The following table lists the most common WiFi camera manufacturers, their MAC address OUI prefixes, typical open ports, and common hostnames. Paranoid recognizes all of these automatically, but this reference is useful for manual investigations and understanding what your scan results mean.

* Some Ring devices use MAC prefixes shared with Raspberry Pi due to supply-chain chip sharing. Context matters — a Raspberry Pi in a rental that was not disclosed is itself suspicious.

Important note about generic cameras. The cheapest hidden cameras — the $15-$30 devices sold on Amazon, AliExpress, and Temu — often use firmware based on the XMEye/CMS platform. These cameras frequently have unregistered or recycled OUI prefixes that do not resolve to a known manufacturer name. In a network scan, they appear as "Unknown" vendor with ports 34567 and 554 open. An unknown device with those specific ports open is a very strong camera indicator and warrants immediate investigation. Paranoid flags these patterns even when the vendor lookup returns no result.

Another pattern to watch for: some cameras disguise their identity by using randomized MAC addresses or MAC addresses borrowed from common consumer electronics manufacturers. In these cases, the port signature becomes the primary detection vector. Any device running RTSP (port 554) that you cannot account for as a known media server or smart TV deserves scrutiny.

What to Do If You Find a Hidden Camera

Discovering a hidden camera is unsettling. Your immediate instinct might be to unplug it, confront the property owner, or leave immediately. Here is a measured, legally sound approach that protects both your safety and any potential legal case.

1. Document everything

Before you touch anything, document. Take photos and video of the camera from multiple angles, showing its location, how it is concealed, and what areas of the room it has a sightline to. Screenshot your network scan results showing the device's IP address, MAC address, vendor (manufacturer), and open ports. Note the exact date and time of discovery. If Paranoid is running, export the scan session — it includes timestamped device data that can serve as evidence.

This documentation is critical for several reasons: it proves the camera existed and was operational at the time of your stay, it identifies the specific device (which can be traced to a purchase), and it establishes the scope of the surveillance (what the camera could see). Law enforcement and attorneys will need this evidence.

2. Do not unplug or destroy the camera

As tempting as it is, do not unplug, cover, or destroy the camera. The camera itself is evidence. Tampering with it could be seen as destruction of evidence and may complicate legal proceedings. It could also alert the operator that they have been discovered, potentially giving them time to destroy their own records or evidence of other cameras.

Instead, if you want immediate privacy, cover the lens with a piece of tape or a sticky note. This stops the recording without damaging the device.

3. Contact law enforcement

In most jurisdictions, placing a hidden camera in a private space like a bedroom or bathroom is a criminal offense. In the United States, it violates federal wiretapping laws (18 U.S.C. Section 2511) and state voyeurism statutes. In the EU, it violates GDPR and national privacy laws. In many other countries, similar protections exist.

File a police report. Provide the documentation you gathered in step 1. Give them the MAC address and manufacturer information from your network scan — this can help them identify the specific device model and potentially trace the purchase. Some jurisdictions have specialized cybercrime units that handle surveillance cases.

4. Report to the platform

If you are in an Airbnb, report through the app immediately. Airbnb's policy explicitly prohibits undisclosed surveillance devices in private spaces (bedrooms, bathrooms). Disclosed cameras in common areas (like a front porch doorbell camera) are permitted but must be listed in the property description. A hidden camera in a bedroom or bathroom is a clear policy violation. Airbnb's Trust and Safety team investigates these reports and can remove the listing, refund your stay, and provide alternative accommodation.

For hotels, report to the front desk manager and request documentation of your complaint. If the response is inadequate, escalate to the hotel chain's corporate office and file a report with the local tourism authority.

5. Leave if necessary

If you feel unsafe, leave the property. Your physical safety and mental well-being take priority over any financial considerations. Document your departure (photo of you leaving, timestamped) and request a full refund through the booking platform. Most platforms will arrange alternative accommodation and cover any price difference in cases of confirmed surveillance devices.

6. Legal considerations

Consider consulting an attorney, especially if the camera was in a bedroom or bathroom. Many jurisdictions allow civil lawsuits for invasion of privacy in addition to criminal prosecution. Depending on local laws, you may be entitled to statutory damages, punitive damages, and attorney's fees. Several precedent-setting cases in the US and EU have resulted in significant settlements for victims of hidden camera surveillance in rentals.

Keep all documentation, scan exports, photos, and correspondence. Do not post about the incident on social media until you have consulted with an attorney, as public statements can sometimes complicate legal proceedings.

Setting Up Monitoring for New Cameras

Detection is most powerful when it is continuous. Whether you are staying in a rental for a week or monitoring your own home network, Paranoid's Network Monitor provides ongoing surveillance detection that catches cameras added after your initial scan.

Continuous monitoring in a rental

After your initial scan confirms the network is clean, enable Paranoid's Network Monitor. Set it to scan every 5-10 minutes. With monitoring active, you will receive an immediate alert if any new device joins the WiFi network during your stay. This catches scenarios like a property manager connecting a camera after your check-in, a neighbor's camera accidentally connecting to the rental's WiFi, or a timer-activated camera that was powered off when you first scanned.

The Network Diff Engine compares each monitoring scan against your baseline. New devices are flagged with full details: vendor, MAC, ports, OS. If a new Hikvision device with RTSP port 554 appears at 2 AM, you will know about it immediately.

Long-term home network monitoring

If you want to ensure no unauthorized cameras are added to your own home or office network, set up continuous monitoring as part of your regular network security audit routine. Save a baseline profile of your network's "known good" state, then let the monitor run. Any new device — whether a camera, a rogue access point, or any other unauthorized device — triggers an alert.

This is particularly valuable in shared environments: apartment buildings where neighbors might accidentally or intentionally connect to your network, offices where employees might bring in unauthorized devices, or any setting where you do not control every device on the subnet.

Alert configuration

For camera detection specifically, configure your monitoring alerts to pay special attention to:

• New devices from camera manufacturers — Hikvision, Dahua, Amcrest, Reolink, and other vendors listed in the camera signatures table above.
• New devices with RTSP ports — Port 554 or 8554 appearing on any device that was not previously on the network.
• Unknown vendor devices — Devices whose MAC vendor cannot be resolved are often cheap cameras with unregistered OUI prefixes.
• Devices classified as embedded Linux — New embedded Linux devices that were not part of your baseline warrant investigation.

By combining a thorough initial scan with continuous monitoring, you create a detection system that catches WiFi-connected cameras both at the moment of discovery and on an ongoing basis. This layered approach is the most effective way to see who's connected to your WiFi and ensure that new devices are never hidden from you.

Frequently Asked Questions

Can hidden cameras work without WiFi?

Yes. Some cameras record to a local SD card and never transmit wirelessly. Others use cellular connections (4G/5G SIM cards) to send footage, bypassing WiFi entirely. These cameras will not appear on a WiFi network scan because they are not on the network. For these types, physical detection methods are essential: RF detectors will catch cellular-transmitting cameras, and infrared detection and lens reflection methods work regardless of the camera's connectivity. The best approach is to combine network scanning (which catches the majority of cameras) with physical inspection (which catches the rest). SD-card-only cameras are less common in practice because they require the operator to physically retrieve the device to access the footage, which limits their utility in rental scenarios.

Will a VPN hide cameras from network detection?

No. This is a common misconception. A VPN encrypts your internet traffic by routing it through a remote server, but network scanning operates at the local network (LAN) level. ARP discovery works at layer 2 (data link), and TCP port scanning works at layer 3-4 (network/transport) — all below the VPN tunnel, which operates at layer 7. When you scan your local network, the probes travel directly between your Mac and other devices on the same subnet, never touching the VPN tunnel. A camera operator using a VPN to view their camera remotely does not change the camera's visibility on the local network. The camera still has a MAC address, an IP address, and open ports — all of which are visible to your scan.

What about cameras on a separate network or VLAN?

If a camera is on a different network than your Mac, you cannot scan it directly. Some sophisticated operators set up a separate WiFi network (a different SSID) or use a mobile hotspot specifically for their cameras, keeping them isolated from the guest WiFi. In hotels, cameras might be on the property's internal management network that is separate from the guest WiFi. In these cases, the cameras will not appear in your scan results because you are on different subnets.

How to address this: check whether the property has multiple WiFi networks. Look at the available WiFi networks list on your Mac (click the WiFi icon in the menu bar). If you see unexplained SSIDs that could belong to the property (e.g., a network with a similar name but a different suffix, or a hidden network), that could indicate a separate camera network. Also, use physical detection methods: RF detectors will pick up transmissions from cameras on any WiFi network, not just the one you are connected to. An RF sweep of the room catches cameras regardless of which network they use.

Can I detect cameras in other rooms?

Yes, if they are on the same WiFi network. Network scanning is not limited by physical proximity or walls. It discovers every device on the subnet regardless of where in the building (or even outside the building) the device is physically located. A camera in the hallway, a camera in another room, or a camera in the garage will all appear in your scan results as long as they are connected to the same WiFi network your Mac is on. This is one of the key advantages of network-based detection over physical methods, which require you to be in the same room as the camera.

What if the camera uses a MAC address that does not match a camera vendor?

This is where port-based detection becomes critical. Some cameras use MAC address randomization or have MAC addresses from chip manufacturers (like Realtek or MediaTek) rather than the camera brand. In these cases, the MAC vendor lookup will not flag them as cameras. However, their open ports still reveal them: RTSP on port 554, HTTP on port 80/8080, and especially proprietary ports like 34567 (XMEye) are extremely strong camera indicators regardless of the MAC vendor. Paranoid's multi-signal detection catches these cases by weighting port patterns heavily when vendor identification is inconclusive.

How do I know if a detected camera is hidden or disclosed?

Check the listing description and house rules. Airbnb and most rental platforms require hosts to disclose all surveillance devices, including their locations. If the listing mentions a "front porch camera" and your scan finds a single Ring doorbell on the network, that matches. If your scan finds three Hikvision cameras and the listing only mentions one, the undisclosed cameras are a problem. Cross-reference your scan results with the host's disclosures. Any camera that is not disclosed is, by definition, hidden from you — even if it is not physically concealed.

Can a smart TV or streaming device be confused with a camera?

Occasionally, but context resolves the ambiguity. Some smart TVs and streaming devices from manufacturers like Samsung, LG, and Amazon use DLNA or media streaming protocols that may involve port 554 (RTSP). However, these devices are typically identifiable by their vendor (Samsung, LG, Amazon), their other open ports (media-related ports like 8008, 8443, 7000), and their OS fingerprint (Tizen, webOS, Fire OS). A smart TV from Samsung with port 554 open alongside media ports is clearly a TV. An unknown-vendor device with only port 554 and 80 open running embedded Linux is clearly not. Paranoid's device classification considers the full signal set and distinguishes media devices from cameras.

---

Hidden cameras on WiFi networks are a real and growing threat, but they are far from undetectable. Every WiFi camera must connect to the network, and that connection creates a trail of evidence: a MAC address that identifies its manufacturer, open ports that reveal its streaming services, and an OS fingerprint that confirms its embedded hardware. Your Mac, equipped with the right tools, can read all of these signals and identify cameras within seconds of scanning the network.

The most effective approach combines all three methods described in this guide. Start with a network scan to find WiFi-connected cameras (the vast majority). Follow up with physical detection to catch offline and cellular cameras. Then set up continuous monitoring to ensure no new cameras appear after your initial sweep. This layered strategy leaves no blind spots and gives you confidence that your privacy is protected — whether you are checking into a rental for a weekend or securing your home network for the long term.

Privacy is not a luxury. It is a right. And in 2026, protecting that right starts with knowing what is on your network.