Last Updated: 2019-04-11 16:37:40 UTC
by Johannes Ullrich (Version: 1)
Recently, there have been a number of stories about hidden cameras found in Airbnb rentals . Of course, these cameras are likely not limited to vacation rentals, and there have also been reports about cameras installed in hotels . When considering defenses for any threat, it is important to keep in mind the adversary. In this case, I am assuming that the owner of the apartment you are renting is not a sophisticated network engineer but pretty much buying cheap off the shelf cameras and connecting them to the local network.
You typically end up with your normal "home network" in an Airbnb. A single wireless router/access point connected to a consumer DSL or cable modem. The guest has access to the wireless network but usually does not have access to the admin console of the router.
The very first thing you can do is a simple visual inspection of the rooms. Is anything out of place? Cameras often need power. Are there any devices that have power running to them that usually do not? Are any devices out of place.
Popular devices used to hide cameras:
- USB chargers. They are typically plugged into the wall, and it would not be considered suspect to have them connected to power. Most popular USB charger cameras I have seen are black to hide the lens better. But the lens will be visible if you look closer. They also tend to be quite a bit larger. Below I have a picture of a normal Apple USB charger and one with a camera. If you unplug it, you may see a slot for a memory card.
iPhone and iPad chargers compared to "USB Spy Cam Charger"
- Digital clocks. These are difficult to spot. If you are worried, then unplug it and place it inside a drawer.
- Fire alarms. Again, this can be difficult to identify, and unlike for a digital clock, you should probably not just remove fire alarms. But is there a fire alarm out of place? For example, there should not be a fire alarm in the bathroom (but you often do have them in bedrooms). Is there more than one fire alarm in a particular room?
Do a quick search on Amazon for "hidden camera" to get a decent list of possible devices you may encounter. Not all of them require power cords. Some run on batteries.
Next, it may be a good idea to check the local network for odd devices. Most of these cameras will allow remote access via WiFi. As a very first step, see what networks are available (in addition to the one provided by the host). But this scan is likely going to show dozens of neighbor networks, and I do not recommend trying to connect to networks you are not authorized to connect. Watch for any networks with a surprisingly good signal.
Once you are connected to the host's Wifi network, it is time to launch a quick Nmap scan. Most of these spy cameras offer a web server. So a simple scan like:
nmap -Ap 80,8000,8080,443,8443,7443,7070,7000,22,23,21 10.5.1.0/24
is a good start. Here are some of the innocent devices you may find:
- The router/modem should respond, and it often uses a web-based admin interface
- Smart TVs, cable boxes and similar equipment will likely respond
For any devices found, connect to them to see if you can identify them. If nothing is found, or if you find devices that do not respond on any of the ports above: run a more exhaustive scan. You will not find devices segmented into a different VLAN, or that are properly firewalled on to respond. If you want, you can be more intrusive. Reboot the router (unplug/plug it back in) and collect ARP messages with tcpdump to see if you missed any devices.
Finally, try to figure out the public IP address of the network you are on ( https://dshield.org/api/myip ) and either run a port scan from the outside to see if you find any odd open ports, or look it up in Shodan to see if Shodan found cameras on this IP in the past (but you likely will have a dynamic IP address).
If you do have access to the router's admin console, you may want to check if it has a list of connected devices or additional networks it is offering, which may be used for these devices. Some home routers have two SSIDs, one typically used for "Guest" access, with a second SSID used for a more protected subnet. Cameras could be connected to this second network.
More advanced techniques:
- An infrared camera can help (like a phone attachment). Cameras and devices like it will give off heat. But this will not identify cameras inside electronic devices, and the scans can be difficult to interpret (e.g. mirrors will reflect IR, so a hot spot on a mirror may be from a ceiling light not from a camera behind it)
- Battery operated cameras are almost always motion activated to save power. You could either try to correlate wireless traffic with motion, or you could set up fake motion (paper towel tied to a ceiling fan, blinking light) to drain the batteries.
- There are "spy cameras" that use non-WiFi RF transmissions. They are a bit more difficult to find. There are some special detectors for them, that will alert on RF signals on frequencies typically used by these cameras. I have no idea how well they work but assume that they will (a) not get anything as some cameras may use odd frequencies and (b) lead to false positives as some of these frequencies may be used by other devices as well. I do not have any first-hand experience with these detectors (and do not keep them in your hotel room if you are trying to sneak into Maro-Lago).
The same techniques can apply to a normal hotel as well. But hotel networks tend to be more complex, so a Nmap scan is likely to lead to ambiguous results. Hotels for example often have cameras in hallways and other public areas (hopefully your Nmap scan will not find them).