name: privacy-scanner license: Apache-2.0. See LICENSE file for details. description: "Scan WiFi networks to detect hidden cameras and surveillance devices in rental accommodations (Airbnb, Booking, VRBO, etc.). Use when: user wants to check for hidden cameras, scan for surveillance devices, verify rental camera policy compliance, or run a privacy audit of a rental property. TRIGGER on: 'scan for cameras', 'hidden camera', 'surveillance scan', 'privacy scan', 'privacy check rental', 'check for spy devices', 'scan wifi cameras', 'privacy scanner'. DO NOT TRIGGER on: general network troubleshooting, WiFi speed tests, or unrelated security audits."
Privacy Scanner — WiFi Surveillance Device Detector
Defensive security tool that scans the local WiFi network to detect hidden cameras, microphones, and surveillance devices in rental accommodations (Airbnb, Booking, VRBO, etc.).
Overview
Airbnb's policy prohibits ALL indoor cameras and recording devices, even if disclosed and even if turned off. This tool helps guests verify compliance by scanning the WiFi network for surveillance equipment.
The scanner runs 7 phases: host discovery → manufacturer identification → port scanning → service discovery → deep inspection → risk classification → report generation.
What it detects:
- IP cameras from known surveillance manufacturers (Hikvision, Dahua, EZVIZ, Amcrest, etc.)
- Consumer cameras (Wyze, Blink, Arlo, Nest, Ring, Foscam, Yi, Eufy)
- Hidden cameras using generic IoT chipsets (ESP32, Realtek, MediaTek)
- RTSP streaming services, camera web interfaces, vendor-specific protocols
- ONVIF-compatible devices, mDNS-advertising cameras, UPnP media devices
What it CANNOT detect:
- Cameras on a separate VLAN or wired-only network
- Cellular-connected cameras (4G/LTE)
- Cameras powered off or in standby
- Devices using MAC address randomization
- Local-storage cameras not connected to any network
- Audio-only recording devices
Workflow
Step 1: Check Prerequisites
CRITICAL: nmap is mandatory on all platforms. Python 3.8+ is required for the cross-platform scanner.
Install per platform:
- Linux (Arch):
sudo pacman -S nmap python arp-scan avahi - Linux (Debian):
sudo apt install nmap python3 arp-scan avahi-utils - macOS:
brew install nmap python arp-scan - Windows: Install nmap from https://nmap.org/download (includes Npcap), Python from https://python.org
Python packages (optional, improve detection):
pip install python-nmap zeroconf requests
Step 2: Run the Scanner
Cross-platform (recommended) — works on Linux, macOS, and Windows:
# Linux / macOS
sudo python3 scripts/scan.py
# Windows (Admin PowerShell)
python scripts\scan.py
Linux-only — bash version (full feature parity):
sudo bash scripts/scan.sh
Common flags (same for both scan.py and scan.sh):
# Quick scan (~2-3 minutes)
sudo python3 scripts/scan.py --quick
# Report in English or Spanish (default: Portuguese)
sudo python3 scripts/scan.py --lang en
sudo python3 scripts/scan.py --lang es
# Specify interface/subnet manually
sudo python3 scripts/scan.py --interface wlan0 --subnet 192.168.1.0/24
CRITICAL: Run with sudo (Linux/macOS) or as Administrator (Windows). ARP scanning and SYN port scanning require elevated privileges. Without them, the scanner falls back to less reliable methods.
Step 4: Interpret Results
The scanner classifies every device into risk levels:
| Risk | Icon | Meaning | Action |
|---|---|---|---|
| CRITICAL | 🔴 | Confirmed camera/streaming device | Photograph. Contact Airbnb. Consider leaving. |
| HIGH | 🟠 | Strong camera indicators | Investigate physically. Check if disclosed in listing. |
| MODERATE | 🟡 | Suspicious/unidentified device | Try to locate and identify the device. |
| LOW | 🟢 | Probably safe (IoT, chipset device) | No action needed unless suspicious location. |
| INFO | 🔵 | Known safe device | No action needed. |
Step 5: Take Action (if threats found)
For CRITICAL or HIGH findings:
- Do NOT disconnect or tamper with the device
- Photograph the device and its location
- Save the scan report (terminal output + HTML file in
./privacy-scan-results/) - Contact Airbnb: App → Your Trips → Get Help → Report a safety concern
- Airbnb Emergency: +1-855-424-7262
- If you feel unsafe, leave the property
- Consider contacting local law enforcement
Scanning Phases
| Phase | Name | Tool | Purpose |
|---|---|---|---|
| 1 | Host Discovery | arp-scan, nmap -sn | Find ALL devices on the network |
| 2 | OUI Analysis | nmap-mac-prefixes + embedded DB | Identify manufacturers, flag camera brands |
| 3 | Port Scan | nmap -sS/-sT -sV | Scan camera-specific ports (RTSP, HTTP, vendor) |
| 4 | Service Discovery | avahi-browse, nmap NSE | mDNS, UPnP, ONVIF, SSDP discovery |
| 5 | Deep Inspection | curl, nmap NSE | HTTP banner grab, RTSP verify, keyword search |
| 6 | Classification | Evidence correlation | Apply risk matrix to all collected evidence |
| 7 | Report | Terminal + HTML | Formatted output with actionable recommendations |
Phases 4-5 are skipped in --quick mode.
Risk Classification Matrix
| Condition | Risk Level |
|---|---|
| Surveillance manufacturer OUI + RTSP/streaming port open | 🔴 CRITICAL |
| Surveillance manufacturer OUI + camera web UI confirmed | 🔴 CRITICAL |
| Any device + confirmed active RTSP streaming | 🔴 CRITICAL |
Camera service advertising via mDNS (e.g. _rtsp._tcp) | 🔴 CRITICAL |
| Camera web page title (NETSurveillance, IPCamera, DVR, etc.) | 🔴 CRITICAL |
| Known surveillance manufacturer, no open ports detected | 🟠 HIGH |
| Known consumer camera brand (Wyze, Blink, Arlo, etc.) | 🟠 HIGH |
| Manufacturer name contains camera/surveillance keywords | 🟠 HIGH |
| Unknown device + RTSP port open | 🟠 HIGH |
| Unknown device + vendor-specific camera port open | 🟠 HIGH |
| IoT chipset (Espressif, Tuya) + camera ports open | 🟡 MODERATE |
| IoT chipset + HTTP server (no camera keywords) | 🟡 MODERATE |
| Unknown manufacturer + HTTP server | 🟡 MODERATE |
| Completely unidentified device | 🟡 MODERATE |
| IoT chipset, no camera ports | 🟢 LOW |
| Generic network chipset | 🟢 LOW |
| Known safe manufacturer (Apple, Samsung, Intel, Dell, etc.) | 🔵 INFO |
| Identified non-camera device | 🔵 INFO |
Critical Rules
- CRITICAL: Always run with
sudo. ARP scans and SYN scans require root. - CRITICAL: Never skip Phase 2 (OUI analysis). Manufacturer ID is the strongest signal.
- CRITICAL: Scan ALL devices, not just flagged ones. Cameras often use generic chipset MACs.
- CRITICAL: Use
-T4timing (aggressive but safe). Do NOT use-T5— IoT devices may crash. - CRITICAL: Always mention scan limitations in the report. This is not a comprehensive physical sweep.
- CRITICAL: Do NOT advise the user to disconnect or tamper with found devices — this could destroy evidence.
Common Pitfalls
❌ WRONG: Scanning only devices with suspicious OUI ✅ CORRECT: Scan ALL devices — cheap cameras use generic Espressif/Realtek MACs
❌ WRONG: Trusting only OUI lookup for device identification ✅ CORRECT: Correlate OUI + ports + HTTP fingerprint + mDNS for accurate classification
❌ WRONG: Only checking port 554 for cameras ✅ CORRECT: Check ALL camera ports including vendor-specific (37777, 34567, 8000, 9000, etc.)
❌ WRONG: Ignoring mDNS services
✅ CORRECT: Many cameras announce _rtsp._tcp or _camera._tcp via Bonjour
❌ WRONG: Concluding "no cameras" after a clean scan ✅ CORRECT: State that the WiFi scan was clean BUT cameras could exist on other networks, wired, or offline
Camera-Specific Ports
554 - RTSP (primary camera streaming)
8554 - RTSP alternate
80/443 - HTTP/HTTPS (camera web UI)
8080 - HTTP alternate (very common on cameras)
8443 - HTTPS alternate
8000 - Hikvision ISAPI/SDK
8200 - Hikvision web alternate
37777 - Dahua proprietary protocol
34567 - XMEye/Chinese NVR protocol
34599 - XMEye alternate
9000 - Reolink proprietary
3702 - ONVIF WS-Discovery
1935 - RTMP streaming
5000 - Synology/QNAP Surveillance Station
6667 - RTSP alternate
8899 - HTTP camera alternate
7070 - Streaming alternate
9527 - Chinese camera debug port
Reference Files
reference/oui-database.md— Curated camera manufacturer MAC prefixes (3 tiers)reference/ports-services.md— Camera ports, HTTP keywords, RTSP paths, mDNS servicesreference/device-signatures.md— HTTP headers, HTML titles, mDNS hostnames, UPnP patterns
Output
The scanner produces:
- Terminal output — Color-coded, real-time progress with risk-classified device list
- HTML report — Saved to
./privacy-scan-results/privacy-scan-YYYYMMDD-HHMMSS.html- Dark security-themed UI with interactive device cards
- Language switcher (PT/EN/ES) — works offline, no reload needed
- Copy-to-clipboard for IP/MAC addresses
- Print-friendly mode
- Raw data — Saved to
./privacy-scan-results/raw-data-YYYYMMDD-HHMMSS/
Rental Platform Policies
Major short-term rental platforms prohibit indoor surveillance cameras:
| Platform | Policy | Link |
|---|---|---|
| Airbnb | All indoor cameras prohibited, even if off. Hidden cameras always banned. Outdoor cameras must be disclosed. | airbnb.com/help/article/3061 |
| Booking.com | Cameras allowed only in common/public areas, must be visible and disclosed. Prohibited where guests expect privacy. | partner.booking.com/...surveillance-devices |
| Vrbo | Indoor cameras prohibited. Outdoor cameras allowed only for security at access points, must be disclosed. | vrbo.com/...use-of-surveillance-policy |