Eye of Sauron: Long-Range Hidden Spy Camera Detection and Positioning with
Inbuilt Memory EM Radiation
Qibo Zhang
Hunan University
Daibo Liu
⇤
Hunan University
Xinyu Zhang
University of California San Diego
Zhichao Cao
Michigan State University
Fanzi Zeng
⇤
Hunan University
Hongbo Jiang
Hunan University
Wenqiang Jin
Hunan University
Abstract
In this paper, we present ESauron — the first proof-of-
concept system that can detect diverse forms of spy cam-
eras (i.e., wireless, wired and offline devices) and quickly
pinpoint their locations. The key observation is that, for all
spy cameras, the captured raw images must be first digested
(e.g., encoding and compression) in the video-capture de-
vices before transferring to target receiver or storage medium.
This digestion process takes place in an inbuilt read-write
memory whose operations cause electromagnetic radiation
(EMR). Specifically, the memory clock drives a variable
number of switching voltage regulator activities depending
on the workloads, causing fluctuating currents injected into
memory units, thus emitting EMR signals at the clock fre-
quency. Whenever the visual scene changes, bursts of video
data processing (e.g., video encoding) suddenly aggravate
the memory workload, bringing responsive EMR patterns.
ESauron can detect spy cameras by intentionally stimulating
scene changes and then sensing the surge of EMRs even from
a considerable distance. We implemented a proof-of-concept
prototype of the ESauron by carefully designing techniques
to sense and differentiate memory EMRs, assert the existence
of spy cameras, and pinpoint their locations. Experiments
with 50 camera products show that ESauron can detect all
spy cameras with an accuracy of 100% after only 4 stimuli,
the detection range can exceed 20 meters even in the presence
of blockages, and all spy cameras can be accurately located.
1 Introduction
Hidden spy cameras placed in sensitive locations such as ho-
tels and dressing rooms are increasingly a threat to individ-
ual privacy [1, 2, 3]. A recent survey of travelers in the US
revealed major concerns about hidden spy cameras, and an
alarming percentage (11%) of Airbnb users have found a hid-
⇤
Corresponding Author.
den camera in their short-term rental [4]. Modern spy cam-
eras are highly miniaturized and can be easily installed any-
where in a private space or implanted into daily objects, such
as smoke detectors, bathroom light fixtures, USB chargers,
or power outlets (examples shown in Figure 1). Worse still,
recent research [5] reported that a significant number of pri-
vate devices, e.g., home security and surveillance cameras,
are at risk of being manipulated by hackers, thus becoming
spy cameras [6, 7, 8].
ESauron
Lens
Memory
ISP
VC
MCU
Memory EMR Leakage
EMR detector
Real
-
time
memory
read/write
Spy camera
Figure 1: Examples of commodity hidden spy cameras and the principle of
employing ESauron to detect them.
Unfortunately, it is difficult to detect such spy cameras due
to their small form factors and/or stealthy working mode. De-
pending on the transferring methods of real-time video cap-
tures, a spy camera can be wired/wireless to a remote re-
ceiver or onboard storage. Recent research proposed to de-
tect hidden cameras by searching for the tell-tale signs of
tiny reflections from camera lens [9], or analyzing the traf-
fic patterns of RF signals emitted from their radio interfaces
[10, 11, 12, 13, 14]. However, these techniques still bear a
few major limitations. First, the light-reflecting-based meth-
ods assume users are aware of the approximate location of
the cameras, which is not always the case. A user usu-
ally has to carry a detecting device and scrutinize the entire
private space, which requires a slow and meticulous sweep
while exhibiting high false positives due to ambient reflec-
tions. Second, RF scanning-based methods are only applica-
ble to hidden cameras that wirelessly stream their recorded
videos, whereas a substantial portion of spy cameras rely on
wired transmission or local storage, meaning that they do not
initiate any wireless connections. All of the above evidence
suggests that there is still a lack of effective method to detect
diverse forms of spy cameras.
This paper aims to reliably detect diverse forms of spy
cameras (i.e., wireless, wired and offline devices) and quickly
pinpoint their locations despite of these challenges. Our key
insight is that despite diversified models and forms, all cam-
eras for video recording will inevitably digest the captured
raw images in real-time before transferring to target receiver
or storage medium. The digestion process takes place in an
inbuilt read-write memory (as illustrated in Figure 1) whose
operations cause electromagnetic radiation (EMR). There-
fore, we may be able to detect a functioning hidden spy cam-
era if we can receive and identify its unique EMR traces over
the air. Despite recent studies, e.g., EarFisher [15], Mem-
scope [16], DeHiREC [17] and CamRadar [18], on EMR-
based hidden device detection, however, due to ignorance of
the critical dynamic traits (frequency drift) of memory EMRs
in camera devices, they are ineffective in distinguishing and
continuously tracking the time-varying EMRs from even a
single device, not to mention common scenarios deployed
with multiple cameras probably of the same model. More-
over, due to the weak of ADC EMRs produced by simple
switched-capacitor circuits, DeHiREC and CamRadar’s de-
tection range is limited within dozens of centimeters, bring-
ing insurmountable hurdle for device identification and lo-
calization when spy cameras are deployed high up in a room.
Due to lack of thorough characterizing on memory EMR from
camera devices, the inability to continuously differentiate and
track camera devices of the same model, and lack of EMR-
based positioning capability, existing works are still far from
effective hidden camera detection in real scenarios. To ad-
dress these problems and achieve the goal of ESauron, we
need to answer the following research questions.
• RQ 1: What are the characteristics of the EMR traces
leaked from a spy camera?
• RQ 2: How to effectively identify the extremely weak
EMR leakage from a spy camera especially when it is at
a distance and interfered by other devices also producing
EMRs in similar spectrum?
• RQ 3: Given the EMR traces of an identified spy cam-
era, can the weak and memory workload-relevant EMR
signals be used for pinpointing its location under the
multipath and shadowing effects?
We begin by conducting an analytical model and exten-
sive measurements to address RQ 1. This involves analyzing
memory EMRs resulting from image data processing, which
emits EMR signals at the memory clock frequency. Our
spectrum analysis identifies harmonic components around the
memory clock. To address RQ 2 and overcome the challenge
of detecting weak EMR signals, we utilize the unique EMR
spectrum characteristics. Our enhanced signal processing al-
gorithm aggregates energy from multiple harmonic compo-
nents, significantly improving the signal-to-noise ratio. This
enhancement enables the accurate detection of weak EMR
emissions even from considerable distances, even in the pres-
ence of obstacles. In the presence of interference from non-
camera devices emitting EMRs in a similar spectrum, we es-
tablish a causal relationship between camera scene changes
and responsive EMR patterns. This analysis eliminates the
impact of interference, ensuring accurate spy camera detec-
tion. To distinguish mixed EMRs from multiple spy cam-
eras, we conduct extensive measurements on 50 camera prod-
ucts. These measurements reveal unique memory clock fin-
gerprints in the EMR spectrum, both static and dynamic.
These fingerprints are then used to separate and track each
spy camera’s memory EMRs. Addressing RQ 3, we employ a
received signal strength (RSS)-based iterative-approximation
search algorithm to guide the receiver toward the spy cam-
era’s location. EMRs, operating at relatively low frequencies,
are less susceptible to multipath and shadowing effects. This
approach enables the accurate pinpointing of spy camera lo-
cations by following the RSS gradient.
We built a prototype platform of ESauron, with a laptop PC
equipped with a plug-in miniature strobe light and a USRP
B210 with a log-periodic antenna. Note that we are work-
ing on hosting our system on Raspberry Pi to miniaturize the
platform equipment of ESauron.
Summary of contribution. Our contributions are summa-
rized below:
• We propose ESauron, a first generalized system to de-
tect and pinpoint all kinds of hidden spy cameras, in-
cluding wireless/wire-connected and storage-based of-
fline devices.
• By digging out the underlying cause of memory EMRs
leaked by spy cameras and characterizing a series of
unique properties, we design techniques to sense and dif-
ferentiate memory EMRs, and assert the existence of spy
cameras.
• We present a searching algorithm to heuristically search
the appropriate direction to move forward to approach
the spy camera. In this way, ESauron can quickly guide
the user to the spy camera’s location.
• We design a proof-of-concept system of ESauron with
USRP B210 with a log-periodic antenna. We demon-
strated the effectiveness of the proposed system design
through a full-fledged testbed implementation and com-
prehensive experiments in real environments.
2 Background and Motivation
In this section, we first introduce the hardware architecture
and processing logic of consumer-grade cameras. Then, we
investigate the memory models used in spy cameras and ex-
plain the source of memory EMR.
CMOS/CCD
Sensor
Lens
Sensing Unit
Processing Unit
Communication
Unit
Ethernet
Serial
WiFi
DRAM
Raw Frame Buffer
Codec Frame Buffer
Image
scene
ISP
(Image Signal
Processing)
VC
(Video Codec)
MCU
Camera SoC (Hardware integrated)
SI
(Sensor
Interface)
Row
Sensor
Data
RGB
Data
1
2
3
4
Encoded
Frames
SSD
Network
Processor
5
Data flow
Processing sequence
Figure 2: Hardware modules inside a customer-grade camera. A scene image
through a lens is first digitized by a CMOS/CCD sensor. A dedicated video
SoC chip is used for multimedia preprocessing, i.e., image signal processing
(ISP), codec and transmission (networking processor)
2.1 Basic Operation of Video Cameras
Hardware architecture. Figure 2 depicts the hardware ar-
chitecture of general consumer-grade cameras, comprising a
sensing unit, processing unit, and communication unit. The
sensing unit, typically a CMOS/CCD image sensor, cap-
tures and digitizes the target scenes to generate raw image
data, and then passes them to the processing unit that is lo-
cated on the camera system on chip (SoC). The processing
unit contains: (1) an image signal processor (ISP) module
that performs operations such as demosaicing, noise reduc-
tion, auto exposure, autofocus, auto white balance, and im-
age sharpening designed to convert raw images into high-
quality video frames; (2) a video codec (VC) module that
compresses the video frames following standard protocols
such as H.264/H.265. After that, the communication unit
transfers the encoded frames to a target receiver or storage
medium through wireless or wired paths, e.g., Ethernet, WiFi,
or serial bus.
Table 1: Memory models used by different camera products.
Brand Model SOC chip Memory frequency Transfer Mode
Google Nest Cam Indoor Ambarella S2LM DDR3-1600 Wireless\Storage
Logitech Circle 2 Ambarella S2LM DDR3-1600 Wireless
Arlo Pro 3 OV 00798 DDR2-667 Wireless
Amcrest IP2M-841W Ambarella S2LM DDR3-1600 Wireless\Storage
Hikvision DS-IA HK-2019 DDR3-1700 Wired
Hikvision EzvizC2C Hisilicon 3518 DDR3-1700 Wireless
Xiaoyi Y1 QG2101A DDR3-1033 Wired\Wireless
Dahua LC-TC7 Hisilicon 3518 DDR3-1700 Wireless\Storage
Xiaomi SXJ01ZM Grain 8136 DDR2-1600 Wireless
Skyworth c10 Hisilicon 3518 DDR3-1700 Wireless\Storage
Essential memory operation. From the perspective of the
data flow, as illustrated in Figure 2, the raw images need to
be first transferred and cached to the SoC memory. Then, the
ISP module reads out the SoC memory and, together with a
microprocessor (MCU), executes the image processing op-
erations. The resulting RGB data (i.e., pixels) are further
stored in the frame buffer within the SoC memory. On this
basis, the VC module loads the pixel data from the memory
and performs encoding, which involves scene analysis, mo-
tion estimation, macroblock classification, intra/inter-frame
encoding, deblocking filter, etc. Almost every encoding step
will exchange a mass of intermediate data with the SoC mem-
ory, among which motion estimation is most overwhelming.
In other words, a dynamic change of the scene can drive a
new round of motion estimation, which brings a notable in-
crease in data exchange between the VC and the SoC mem-
ory, namely memory workload.
Note that existing consumer-grade cameras, no matter spy
cameras, surveillance or ordinary camera, are with similar
hardware architecture and processing logic.
2.2 Memory Models on Spy Cameras
Does any camera-device have an inbuilt read-write mem-
ory? For a camera device, despite diversified models and
forms, the captured raw images must be first digested (e.g.,
encoding and compression) before transferring to target re-
ceiver or storage medium. Such encoding/compression pro-
cesses have to exchange (read and write back) a mass of in-
termediate data with a specified memory. Thus a read-write
memory is indispensable to any form of camera-devices, even
the miniaturized spy cameras (as shown in Figure 16 below).
DRAM used in modern camera devices. DRAM has
been widely adopted by consumer electronics due to its low
cost, low power consumption, and high efficiency. Gener-
ally, DRAM can be divided into SDRAM (Synchronous Dy-
namic Random-Access Memory) and DDR SDRAM (Double
Data Rate SDRAM, denote as DDR memory). Owing to its
much higher data transfer efficiency, DDR memory has dom-
inated the memory market [19]. Specific to the camera mem-
ory models, our survey in Table 1 reveals the same trend. We
have purchased and examined 50 camera products from a ma-
jor e-commerce portal. Our survey covers a variety of camera
types, including miniature spy cameras, webcams, surveil-
lance cameras, and home security cameras; and a variety of
brands, such as Hikvision, Logitech, Arlo, Dahua, and some
unknown models. We found all the cameras, without excep-
tion, are equipped with DDR memory (e.g., DDR2-667/1600,
DDR3-1033/1600/ 1700) in their SoC.
2.3 Memory EMR Leakage
We now demystify the DDR memory EMR (referred to as
memory EMR in the rest) and present the analytical model
on the spectrum patterns of memory EMR.
Generation of memory EMR. DDR memory is com-
posed of a large number of basic memory units, each con-
sisting of a transistor and a capacitor. The charging state of
Frequency(MHz)
0
0.2
0.4
0.6
0.8
1
Normalized Power
Working Stand by Sleep
Figure 3: The spectrum mode of
the memory EMR under differ-
ent working conditions of the spy
camera.
0 200 400 600 800 1000
Time(ms)
0
0.2
0.4
0.6
0.8
1
Normalized Power
Turn on/off light
Figure 4: Distance-relevant RSS
preservation.
the capacitor determines the memory unit’s logic state, i.e.,
1/0. When the DDR memory is read/ written, the mem-
ory clock immediately drives a large amount of switching
voltage regulators’ activities, by which the selected capaci-
tors are charged/discharged by the transfer of electrons. Fol-
lowing the Faraday law of electromagnetic induction [20],
the corresponding acceleration/deceleration of electrons pro-
duces EMR which resonates at the memory clock frequency
[21].
If a certain read/write operation involves more memory
units, the memory clock will drive more switching activi-
ties in proportion to the number of capacitors, resulting in
stronger emanations at the memory clock frequency, and vice
versa [21]. Therefore, the EMR amplitude is highly depen-
dent on the memory workload.
Memory EMR analysis. The simplest form of a mem-
ory clock is a sine wave [15]. However, such a single-carrier
clock can lead to excessive EMR intensity that may violate
the regulatory requirement for electromagnetic compatibility.
Modern clock generators instead adopt spread spectrum clock
(SSC) techniques [22, 23], which distributes the EMR energy
as V
ssc
(t)=A cos 2p f
0
t +
D f
f
m
sin(2p f
m
t), where f
0
is the cen-
ter frequency of the memory clock, f
m
and D f are the modu-
lation frequency and peak frequency offset, respectively. The
descriptions of used symbols are listed in Appendix A. Due
to stability requirements, the clock signal V
ssc
(t) has to go
through a band-pass filter for harmonic components suppres-
sion. Then the energy of the memory EMR is non-zero only
at frequencies f
nz
, where the frequency of the i-th non-zero
memory EMR can be expressed as
f
nz
(i)= f
0
if
m
. (1)
Consequently, the memory EMR is composed of a series of
harmonic components, where the frequency interval between
consecutive harmonic components is f
m
, and the first har-
monic component is at f
0
. Note that f
m
is a constant and
only depends on the memory hardware model. The theoreti-
cal analysis on memory EMR has been well explained in pre-
vious literature [24, 15].
Although existing techniques and regulations on elec-
tromagnetic interference and electromagnetic compatibility
have made much effort to reduce the unintentional EMR
leaked from DDR memory. However, it is still inevitable that
DDR memory will produce EMR at the clock frequency when
there are fluctuating currents.
2.4 Measurement of EMR Spectrum Patterns
We conduct empirical studies to verify the spectrum pat-
terns of memory EMR. Our measurements are conducted
with representative memory models, DDR2-800/ 1600,
DDR3-1700/1866, and DDR4-2133/2400, which are widely
equipped with spy cameras. We employ a USRP B210 with a
log-periodic antenna to capture the EMR leakage. We config-
ure the carrier frequency to be the memory center frequency
f
0
, set the sample rate to 2 Mhz, and take an FFT over 1s win-
dow of the captured signal to convert it into individual spec-
tral components. Meanwhile, we create different workloads,
i.e., write the memory intensively, put it in standby state with
only periodical refresh operation, and put it to sleep state. We
derive four observations from the measurement study.
First, from the analysis of spectrum patterns as illustrated
in Figure 3, we observe that in both the working state and
standby state, DDR memory operations do produce (leak)
EMR signals, of which the frequency spectrum features
a series of energy peaks distributed over around 1 MHz
near the memory clock frequency f
0
(e.g., 850MHz).
Second, an auto-correlation of the peak frequencies con-
firms that the frequency interval (i.e., f
m
) between consecu-
tive peaks is constant, agreeing well with the above analysis.
For instance, f
m
=31.25 kHz and 31.16 KHz, for DDR3-1700
and the DDR2-1600, respectively.
Third, the results also demonstrate that the amplitude of
memory EMR varies with the memory workload. With
the presence of intensive workload, the amplitudes of all en-
ergy peaks escalate significantly compared with the standby
state. Yet the workload does not affect the locations of the
frequency peaks, which corroborates the analysis in Eqn. (1).
Fourth, we further measure the correlation between scene
change and the memory EMR. We find a strong causal re-
lationship between the stimulus of camera scene changes
and the responsive EMR pattern. By intentionally stimu-
lating scene changes with turning on/off light, the spy camera
immediately produces responsive EMR patterns as shown in
Figure 4.
3 Threat Model
The attacker’s goal is to surreptitiously record the video of
privacy-sensitive environments with pre-deployed hidden spy
cameras described in Figure 1. As a detector, ESauron tries
to detect and quickly pinpoint the above hidden spy cameras.
Causal
analysis
Orientation in
3-D space
Iterative
approximation
Spy Camera Detection
Pinpointing Spy Camera
Detecting Memory EMR
Distinguishing an d
Tracking Per-Device
Stimulus
Probing and analysis
RSS trends in 3D
Searching process
Folding and
Denoising
Raw signals
Harmonic extraction
Per-device Tracking
ESauron Platform
EMR
Separation
Figure 5: The architecture of ESauron, consisting of four major modules: Sensing of memory EMR, Separating and tracking per-device’s EMRs, Stimulus-
based spy camera detection, and Pinpointing of spy cameras.
3.1 Attack Model
We make the following assumptions about the attackers.
Concealment and deployment of the cameras. The at-
tackers are able to hide the camera anywhere in the private
space. For the sake of coverage, the attacker can install any
number of spy cameras of the same or different brands.
Type of spy camera. The attackers can use different forms
of spy cameras. Depending on the transferring methods of
real-time video captures, the spy camera can be wired/ wire-
less to a remote receiver or stored in offline on-board mem-
ory. Moreover, we have no restrictions on the appearance and
the manufacturer of the spy camera. In addition, the attacker
may hack an innocuous camera (e.g., webcam or home se-
curity camera) used by the victim, and convert it into a spy
cam.
Limited manipulation of camera hardware. We assume
the attackers use consumer-grade cameras. They can change
the camera configurations but are unable to modify the bot-
tom memory system.
3.2 Capability of the Detection System
Equipment composition. The RF capturing device can cap-
ture the signal whose frequency band matches with that of the
EMR signal of the spy cameras. A typical detection system
of ESauron shall consist of the following devices: 1) broad-
band antenna that can capture the EMR signal, 2) software
defined radio (SDR) that can down-convert and digitize the
signal, 3) a plug-in miniature strobe light to bring continuous
stimulus to trigger traceable and stable memory EMRs, and
4) PCs that can analyze the characteristics of EMR spectrum
and run detection and localization algorithms.
Usage pattern of ESauron. The ESauron system can be
carried by a user anywhere in a given privacy-sensitive room.
To achieve a better detection performance, a user can request
the other people at the scene to keep still or leave temporarily.
Environment. In a scene of privacy-sensitive environ-
ments, such as hotel, office and conference room, there
will inevitably be various other electronic devices, especially
some legal or authorized camera devices, which will also gen-
erate EMR and interfere with the detection. However, as a
detector, the system should know the characteristics of the
above-mentioned devices’ EMRs to mitigate such interfer-
ence and boost detection efficiency.
Detection range limitation. ESauron’s detection capabil-
ity is highly dependent to the strength of emitted EMR sig-
nals. A memory can be wrapped by a perfect electromagnetic
shielding cage to prevent EMR leakage. ESauron’s detection
range depends on how well-established the electromagnetism
shielding device (see Sec. 5.3.2).
4 ESauron Design
In this section, we presents the detail design of ESauron.
4.1 ESauron Overview
As depicted in Figure 5, ESauron consists of four major
modules within its workflow: (i) Detecting memory EMR:
ESauron employs a folding algorithm that leverages the
unique spectrum characteristics of memory EMR to accu-
rately capture EMR signals with high sensitivity; (ii) Dis-
tinguishing and tracking per-device’s EMRs: ESauron then
separates the memory EMRs of different devices, and tracks
the EMR pattern of each potential spy camera based on their
memory clock fingerprints; (iii) Stimulus-based spy camera
detection: By intentionally inducing scene changes, ESauron
excavates the causal relationship between the stimulation and
responsive EMR pattern to assert the existence of a spy cam-
era; (iv) Pinpointing of spy cameras: ESauron leverages both
the sensitivity to scene changes and distance-relevant prop-
erties of memory EMR to quickly pinpoint the spy cameras’
locations.
0.5
1
799.6 799.85 800.1
Frequency(Mhz)
0
0.5
1
Normalized Power
SNR 20dB
SNR 9dB
Figure 6: The spectrogram of original and de-
noised harmonic components.
Figure 7: Folding-based memory EMRs extrac-
tion.
East South West North
0
10
20
30
40
Distance(m)
DDR2 DDR3
Figure 8: Folding-based memory EMRs detec-
tion range.
4.2 Detecting Memory EMR
We first present ESauron’s EMR sensing module, which con-
sists of folding-based memory EMR extraction and wavelet-
based denoising.
4.2.1 Augmenting the strength of weak EMR signals
Recall that the memory EMR spectrum consists of a series
of evenly separated harmonic components, of which the i-th
harmonic component is located at the frequency of f
0
i · f
m
.
Based on this observation, we utilize the folding algorithm
(see details in Appendix B), which is generally used for am-
plifying periodic astronomical signals, to search for possible
peak frequency offset f
m
to extract the harmonic components,
and put all extracted EMR harmonic components with the
same f
m
into the same group.
To make the process computationally efficient, instead of
performing a full spectrum scan, we investigated the typical
center clock frequency ( f
0
2 G
f
0
) among the available DDR
memory products in the market, and identify and checked the
intervals between each visible harmonic components f
0
in the
spectrum as the possible, referred to as G
f
m
f
0
. In execution
phase, ESauron iteratively selects a specific f
0
from G
f
0
, and
then scans the frequencies around f
0
. Suppose R represents
the series of N frequency samples in the memory EMR spec-
trum, and R[i][(2 [0, N])] is the amplitude of the i-th sample.
The employing of folding is to search for and aggregate the
energy from the EMR signals emitted from the same device,
i.e., signals consisting of harmonic components separated by
the same frequency samples offset, i.e., a possible candidate
of G
f
m
f
0
, denoted as f
c
m
. To search for potential EMR harmonic
components, the spectrum is first divided into small windows
of samples with size f
c
m
and then added in a window-wise
fashion [25]
P
f
c
m
[i]=
d
N
/
f
c
m
e
1
Â
j=0
R[i + j · f
c
m
], 0 6 i < f
c
m
. (2)
Through this folding mechanism, the energies of those har-
monic components separated by f
c
m
can be accumulated while
the fused noise is likely smaller due to their non-periodicity
in the frequency domain. The position of the folding peak,
i.e., the i that maximizes kP
T
[i]k, depends on the offset of
memory’s center clock frequency, i.e., D f
0
. For the appli-
cation scenarios of ESauron, the actual f
c
m
of potential spy
cameras is unknown. So ESauron folds every possible f
c
m
in
G
f
m
f
0
to search for each harmonic component in the memory
EMR spectrum. Even if some harmonic components may be
completely overwhelmed by noise, ESauron still deduces the
potential location of the harmonic component by Eqn. (1).
In this way, ESauron can accurately extract all potential har-
monic components sourcing from memory EMRs for follow-
up processing. Those harmonic components with the same
f
m
are grouped into a set G
f
m
. Note that these harmonic com-
ponents could still originate from different devices with the
same memory model. We will explain how to separate them
in Sec. 4.3.
4.2.2 Wavelet based denoising
Even after the folding process, residual noise exists within
the extracted harmonic components in G
f
m
. The noise could
come from various sources such as nearby electric devices
and the camera’s intrinsic noise. To eliminate such noise,
we employ wavelet denoising [26] to eliminate the resid-
ual noise from the extracted harmonic components in G
f
m
.
The signal can be decomposed into detail coefficients (a
k
)
reflecting high-frequency information and approximate co-
efficients (b
k
) reflecting low-frequency information through
multi-layer wavelets. Through this multi-resolution decom-
position, the peak frequency of memory EMRs and noise usu-
ally have different expressions at different layers of a
k
and b
k
.
Finally, a level-dependent reconstruction is employed using
all the coefficients as:
x
n
=
Â
k2Z
a
(J)
k
¯g
(J)
n2
J
k
+
J
Â
l=1
Â
k2Z
b
(l)
k
¯
h
(l)
n2
l
k
where ¯g and
¯
h are rescaled discrete orthogonal functions. The
spectrogram of a typical EMR harmonic component before
and after the processing stage is shown in Figure 6, where
the SNR is improved substantially, from 9 dB to 20 dB. The
wavelet-based noise reduction is actually achieved by addi-
tional processing like thresholding or filtering the wavelet
coefficients decomposition. By setting coefficients below
certain amplitude thresholds to zero under the assumption
(a) Invariant f
m
(b) D f
0
(c) CDF of D f
0
(d) Clock drift
Time(s)
f
0
(KHz)
10 20 30 40 50
31.45
31.35
31.25
31.15
31.05
10 20 30 40 50
HC 1 from Camera 2
HC 1 from Camera 1
HC 2 from Camera 1
HC 2 from Camera 2
Frequency
aliasing
(e) Fluctuation trend of HCs
Figure 9: The device-specific static and dynamic traits. (a) f
m
is only significant across different devices; (b) f
0
differs even across the identical devices; (c)
f
0
is randomly distributed between 0 and 30 kHz; (d) Each camera device has a unique clock drift pattern; and (e) Fluctuation of harmonic components’ (HC)
drift pattern among two spy cameras (SP).
they manifest noise, crucial denoising is realized. Appropri-
ate threshold selection is key to balancing signal distortion
against noise removal.
To validate the effectiveness, we deploy different kinds
of devices configured with a known DDR memory and then
use both the folding algorithm and wavelet processing to ex-
tract the affiliated EMR harmonic components. As shown in
Figure 7, compared with the energy threshold-based detec-
tion method, the folding algorithm can improve the detection
rate from 79% to 99%, which means ESauron almost never
misses any harmonic components. On the other hand, the
false detection rate (i.e., mistaking other harmonic compo-
nents for the target memory EMR) is decreased from 60%
to around 5%. The residual error can be further reduced us-
ing the static/dynamic traits unique to each device (Sec. 4.3).
Besides, the harmonic component energy after denoising can
also significantly increase the SNR of received EMR and im-
prove sensing distance. As illustrated in Figure 8, for both
the DDR2-1600 and DDR3-1700, which are the most widely
used memory models by spy cameras according to our inves-
tigation, the detection range can be up to 30 meters.
4.3 Distinguishing Per-Device’s EMRs
ESauron further leverages both static and dynamic device-
specific traits to differentiate different devices’ EMRs in each
group of EMR harmonic components (i.e., G
f
m
).
4.3.1 Device-specific EMR traits
Static traits: center clock frequency offset. For the static
traits, the offset of f
m
is invariable for the same devices,
whereas sufficiently diverse across different devices as shown
in Figure 9(a), which should be attributed to the different
modulation frequencies of their clock generators. In compar-
ison, due to the imperfect manufacturing process, there exists
an intrinsic center clock frequency offset 4 f
0
between DDR
memory products even with the same model as shown in Fig-
ure 9(b).
To examine whether the static 4 f
0
is sufficiently diverse,
we select an arbitrary pair of identical DDR memory prod-
Time(s)
Coefficient
0 20 40
0
0.25
0.5
0.75
1
HC1-SP1
HC2-SP1
0 20 40
HC1-SP2
HC2-SP2
Figure 10: Fluctuation of the correlation
coefficient of each harmonic component.
0 1 2 3 4 5 6 7
Time(s)
0
0.2
0.4
0.6
0.8
1
Stimuli Score
Stimulate
Figure 11: Causality analy-
sis on stimulus-triggered EMRs
patterns changes with t-test.
ucts, denoted as D
i
and D
j
. Due to the similar f
m
, the separa-
bility of their EMR features depends only on 4 f
0
. If the 4 f
0
is too small, the two devices’ harmonic components will over-
lap in frequency. We observe that the bandwidth of all har-
monic components is within 300 Hz, which is consistent with
previous research [15] and significantly smaller than 4 f
0
,
that randomly distributes between 0 and 20 kHz as shown in
Figure 9(c), in other words, implying that the static traits of
the memory EMR spectrum are device specific and can be ex-
ploited to identify and distinguish different devices. However,
due to the randomness of the memory’s center frequency f
0
,
when 4 f
0
is no larger than the bandwidth of harmonic com-
ponents, the static traits alone can not effectively separate the
coexisting devices.
Dynamic traits: time-varying clock drift patterns. For
the dynamic traits, due to the uncontrollable heating effect
inside memory caused by read/write operation [27, 28], the
memory clock f
0
experiences continuous change in ampli-
tude and phase in the time domain as illustrated in Fig-
ure 9(d), leading to time-varying f
0
for a specific device. Due
to the spread spectrum clocking, all affiliated harmonic com-
ponents V
ssc
(t) on a device originating from the same clock
source V
clk
(t), hence producing the same fluctuation trend for
f
0
. Figure 9(e) plots the traces of frequency drift of two de-
vices with the same DDR memory. We observe completely
different fluctuations, implying that even when two devices
have identical static traits, namely ( f
0
, f
m
, 4 f
0
), their EMR
harmonic components can still be effectively separated by ex-
ploiting the dynamic traits. The highly diverse EMR patterns
present device-specific traits for discriminating multiple po-
tential spy cameras.
0 0.7 1.4
Distance(m)
-14
-12
-10
-8
RSS(dBm)
Removal of outliers
Original EMR RSS
Figure 12: Distance-relevant
RSS after Kalman filtering.
X (Left-right)
Y (Front-back)
Z (Up-down)
O (Neck)
Figure 13: User-centered 3-
dimensional reference sys-
tem.
Mapping
to 3D
Figure 14: Example on the principle of mapping EMR RSS trend in three di-
mensions (left part) to an orientation vector in user-centered 3-D reference sys-
tem (middle part); Iterative process (right part)
4.3.2 Distinguishing memory EMRs
We design an iterative process to leverage the above device-
specific static and dynamic traits, to separate devices whose
EMR harmonic components are clustered in the same group
G
f
m
. We first sort all harmonic components in G
f
m
by center
frequencies, i.e., G
f
m
= {sc
0
f
m
,sc
1
f
m
,··· ,sc
n
f
m
}, where sc
i
f
m
de-
notes the i-th harmonic component in the group. We select a
harmonic component with the highest peak (caused by a de-
vice that has the strongest memory EMR) in G
f
m
, and also se-
lect all the affiliated harmonic components with the frequency
offset i· f
m
, where i is an integer. Then we remove all the affil-
iated harmonic components from G
f
m
and move to a tempo-
rary subgroup G
f
m
. Due to the spread spectrum clocking, the
frequency drift of the same device’s harmonic components
must be with the same fluctuation trends. If these harmonic
components in G
f
m
are produced by the same devices, they
can experience consistent fluctuations in time domain, such
as the harmonic component 1 and harmonic component 2 of
device 1 in Figure 9(e).
Thus, to quantify the consistency of all harmonic compo-
nents in G
f
m
, we further calculate the correlation coefficient
R
c
of the consecutive samples of each harmonic component
in the time domain. Although auto-correlations can effec-
tively quantify the instantaneous match across harmonics at
any given time, it is important to highlight that they are unable
to measure the similarities in the long-term frequency drifting
behavior of these harmonic bands. Thus we then employ Dy-
namic Time Warping (DTW) [29] to measure the similarity
between the trends of R
c
between different harmonic com-
ponents in G
f
m
. Those harmonic components having similar
trends in the time domain, as illustrated in Figure 10, can be
exactly identified as the affiliated harmonic components be-
longing to the same device. If so, ESauron names the device
as Bob and moves all the affiliated harmonic components in
G
f
m
to a device group G
f
m
(Bob). The above procedure is ex-
ecuted in a loop until the highest folding peak meets a prede-
fined threshold. In this way, ESauron can separate all devices
that are equipped with a DDR memory, which may include
potential spy cameras.
In practice, due to the dynamic traits, the static traits ( f
0
,
f
m
, 4 f
0
) will be shifted over time. Hence, ESauron has to
monitor the separated devices in real-time and leverages the
limited frequency drift in a short period to keep track of each
device’s harmonic components in the time domain. It is worth
noting that although the dynamic traits can also bring about
the harmonic components’ frequency aliasing of different de-
vices, as illustrated in Figure 9(e), possibly mistaking the de-
vice track, it would not affect the follow-up spy camera de-
tection and pinpointing as long as they can be separated.
4.4 Stimulus-based Spy Camera Detection
Note that the sudden change of light intensity can lead to sig-
nificant scene change for a working camera, which in turn
triggers a surge in camera memory access and processing to
encode new visuals. In contrast, the activity of non-camera
devices is independent of the change of light intensity. By in-
tentionally inducing scene changes via turning on/off light,
ESauron can excavate the causal relationship between the
stimulation and responsive EMR pattern to assert the exis-
tence of spy cameras. Once the affiliated EMR harmonic
components of device D are identified, we adopt a stimula-
tion method to assert whether D is a spy camera.
Stimulation strategy. In the stimulation stage, we inten-
tionally turn the room light on and off to create global scene
changes, which can suddenly aggravate memory workload
and hence trigger responsive EMR patterns from the cameras.
Then, ESauron senses and extracts the affiliated EMR har-
monic components of device D, and tracks the EMR pattern
changes in response to the stimulus.
ESauron uses a method of t-test [30] to analyze the causal
relationship between the intentional stimulus and responsive
memory EMR pattern. Specifically, ESauron first samples
the EMRs and calculates the variance of memory EMR pat-
tern over a time window to determine whether it is in steady
state. If so, ESauron instructs the user to start the lights on/off
stimulation. Then, ESauron adopts t-test to perform causality
analysis between the pre- and post-stimulus EMR patterns. A
t-test takes the mean µ, variance s, and the number of sam-
ples N of the two compared sets (i.e., the sets of samples cap-
tured in during pre- and post-stimulus), and then computes a
t-score. Here the t-score represents the degree of difference
between the two sets of samples. A large positive t-score is
an evidence that the mean of samples in post-stimulus is sig-
nificantly larger than that in pre-stimulus.
Existence assertion. Once the t-score is calculated, cou-
pled with the sample size, the degree of the difference (re-
ferred to as “Stimulation score”) is normalized and deter-
mined by referring to the t-test distribution table [30]. Fig-
ure 11 shows the traces of intentional stimulus and stimu-
lation score when probing the EMR signal of a spy cam-
era. Even though normal video processing brings misleading
stimulation scores, they are much lower compared with the
case of intentional stimulation.
4.5 Pinpointing Spy Camera’s Location
After determining the existence of a spy camera D, we further
leverage both the sensitivity to scene changes and distance-
relevant properties of the memory EMR to quickly pinpoint
the spy camera’s location.
Unearthing distance-relevant information. ESauron
leverages the relative change of RSS along the receiver’s tra-
jectory to guide it approximately towards the EMR source,
i.e., the camera. To this end, ESauron equips a plug-in minia-
ture strobe light [31] on the receiver, to produce continuous
stimulus and trigger traceable EMRs. Although the RSS of
EMR from cameras situated indoors does not strictly adhere
to the Friis free space path loss model given the rich multipath
propagation, the general trend of RSS decrease over distance
is invariant. So ESauron employs a simple Kalman filter to
average out the multipath effect. We move the ESauron in
the opposite direction of the spy camera. From Figure 12, we
observe that although there are several solid or weak points
in the middle, the RSS preservation after filtering continues
to decline.
Orientation in 3-D space. We introduce a simple process
to track the EMR RSS tendency along different directions,
and then determine the orientation of spy camera relative to
the ESauron receiver/user. Specifically, for each orientation,
we construct a 3-D reference coordinate with the center of the
user’s neck as the origin, as illustrated in Figure 13. The hori-
zontally extended left and right arms are respectively marked
as the negative and positive x-axis; and accordingly the y and
z axes can be defined.
Then, the user needs to move the receiver along each axis.
ESauron can analyze the EMR RSS tendency accordingly, as
illustrated in the left part of Figure 14, where we normalize
the RSS and the distance changes in one arm length. ESauron
then selects the maximum RSS values along each direction,
denoted as (RSS
x
max
, RSS
y
max
,RSS
z
max
). ESauron leverages the
EMR RSS tendency in different directions to generate an
overall direction of spy camera in 3-D coordinate system rel-
ative to the ESauron user, as illustrated in the middle part of
Figure 14.
Iterative-approximation process. The user iterates the
above process of moving towards the RSS-maximizing direc-
tion, until the RSS reaches its maximum value, i.e., the user
is closest to the camera. It is worth noting that this iterative-
approximation process has great tolerance against the devia-
tion from the optimal searching path, because the deviation
does not accumulate over search steps, and the trend of RSS
drop over distance remains unchanged. By holding ESauron
in an apartment room where a spy camera was installed in a
corner of the roof, ESauron can identify the RSS-maximizing
direction at any location of the room. The right side of Fig-
ure 14 shows the iterative process to move towards the spy
camera.
Laptop PC
USRP
B210
Log-periodic
antenna
Strobe light
Figure 15: The proto-
type of ESauron.
SoC with
Built-in
DRAM
Figure 16: Some cameras used in our experi-
ments.
Camera
Lens
Camera SoC
behind wall
One-way
mirror
Spying outside
the window
Hotel
ConfOfficeBath
Figure 17: Snapshot of the four typical privacy-sensitive environments.
Camera
Lens
Camera SoC
behind wall
One-way
mirror
Spying outside
the window
Concrete wall
Computer
room
Figure 18: Four extreme scenarios.
5 Evaluation Results
5.1 Experimental Setup
Figure 15 shows the prototype platform of ESauron, com-
posed of a laptop PC equipped with a plug-in miniature strobe
light and a USRP B210 with a log-periodic antenna LP0965
(850 MHz-6.5 GHz, 5-6dBi, Size: 15*14cm). The USRP
B210 is controlled by using Matlab in the laptop PC, which
implements the signal processing mechanisms that constitute
ESauron.
Testing cameras. We evaluated ESauron on 50 cam-
eras of 10 typical brands on the market of both the US and
China, as shown in Figure 16 and Table 1. All the cameras
use H.264/H.265 codecs which are the most popular codecs
used by spy cameras. Those cameras can be divided into 4
categories, including 13 miniature spy cameras, 10 surveil-
lance cameras, 17 IP webcam in laptop/smartphone, and 10
home security cameras.
Testing scenarios. We experiment with ESauron in 4 typ-
ical privacy-sensitive environments (Hotel, Bathroom, Office
Hotel Bath Office Conf
0
25
50
75
100
Percentage(%)
Single-Camera
Multi-Camera
FPR of Single
FPR of Multi
Figure 19: The detection rate and
FNR of ESauron in a single stimu-
lus round.
1 2 3 4 5 6
Stimulus Round
0
25
50
75
100
Detection Rate(%)
Hotel Bath Office Conf
Figure 20: The single-camera detec-
tion rate of ESauron in the multiple
stimulus rounds.
1 2 3 4 5 6
Stimulus Round
0
25
50
75
100
Detection Rate(%)
Hotel Bath Office Conf
Figure 21: The multi-camera detec-
tion rate of ESauron in the multiple
stimulus rounds.
1 2 3 4 5 6
Stimulus Round
0
3
6
9
12
15
False Positive(%)
Hotel Bath Office Conf
Figure 22: The false positive rate
of ESauron in the multiple stimulus
rounds.
and Conference room) as illustrated in Figure 17. The dimen-
sions of the rooms are: Hotel (5 ⇥6m
2
), Bathroom (2 ⇥3m
2
),
Office (3⇥4m
2
), and Conference room (10⇥12m
2
). For each
environment, we hide the cameras inside furniture or appli-
ances (e.g., a wardrobe or a bedside table) to imitate practical
attack scenarios. In addition, we set up 4 extreme scenar-
ios (Computer room with severe memory EMR interference,
spying outside the window, spying with one-way mirror, and
camera SoC behind concrete wall by camera re-factoring) that
could possibly happen, as illustrated in Figure 18 .
Note that in all these experiment scenarios, spy cameras
may coexist with other electronic devices, such as voice as-
sistants, smart projectors, desktop computers, etc., that can
produce memory EMRs to interfere with the ESauron detec-
tor. Also, we know the models of legal or authorized cam-
era equipment in the environment. To ensure the objectivity,
we conduct double-blind experimental procedure, which in-
volves an attacker team for hiding spy cameras and an iso-
lated defender team (the co-authors of this paper) for detect-
ing the hidden cameras. Specifically, the defender team op-
erated the ESauron prototype system from an isolated room
with no information on the number, models or locations of
the hidden cameras.
Comparing ESauron with Existing Work. We consider
EarFisher [15] and CamRadar [18] to compare our work in
terms of robustness: EarFisher relies on the network to ac-
tively import data volumes to stimulate devices to gener-
ate electromagnetic leakage. CamRadar detects spy cameras
through electromagnetic leakage from ADCs.
Performance metrics. To evaluate the performance of
ESauron, we use the following metrics:
• Detection rate. The ratio of the number of detected spy
cameras to the total number of actually deployed spy
cameras.
• False positive rate (FPR). The ratio of the number of de-
vices that ESauron falsely regarded as spy cameras to
the total number of devices that were detected as spy
cameras.
• False negative rate (FNR). The ratio of the number of
actual spy cameras failed to detect the presence to the
total number of actually deployed spy cameras.
• Positioning distance efficiency (PDE). The ratio of
the Euclidean distance between the initial location of
ESauron and spy camera to the total length of walking
route for finding out spy camera.
5.2 Spy Camera Detection Performance
We first deploy a single camera at eight fixed corners respec-
tively at the room’s top and middle wall, and calculate the av-
erage detection rate for all deployment locations. Figure 19
shows that, with a single stimulus (i.e., turn on and off the
light once), the detection rate ranges from 62% to 78% across
different room types. The detection rate tends to be higher in
darker scenes. This is mainly because the stimulus signifi-
cantly changes the scene, and accordingly the spy cam mem-
ory switches from the standby state to the high-load state,
making the EMR signals more prominent.
Figure 20 further shows the detection rate of ESauron after
the multiple stimuli. The interval between each stimulation
is not less than 1 second. We observe that the detection rate
improves quickly with the number of stimuli, e.g., from 78%
to over 99.7% after 3 successive stimuli in the bathroom. Al-
though the detection rate in the conference room is the worst,
it increases rapidly to 97.7% after 3 stimuli.
Since there may be other electronic equipment in the en-
vironment, the FPR performance is also essential. Figure 22
shows that the FPR for all room types. The offices and confer-
ence rooms have the highest FPR because of the most number
of electronic devices nearby. After the second round of stim-
ulation, the FPR quickly dropped below 0.6% for all room
types. After 3 rounds of stimulation, the FPR dropped to 0.
5 10 15 20 25 30
Num of Device
0
20
40
60
80
100
Accuracy(%)
ESauron EarFisher
Figure 23: The upper limit of the
number of ESauron separation de-
vices.
0 0.5 1 1.5 2 2.5 3
Separate Time(s)
0
50
100
Accuracy(%)
5
10
15
Figure 24: The time cost of the
ESauron in separating the cam-
eras.
5.3 Robustness Analysis
5.3.1 Multi-camera detection accuracy
We also conduct quantitative study to evaluate the maximum
number of spy cameras that ESauron can successfully detect.
Note that the detection of spy cameras consists of two steps,
i.e., separating and classifying the harmonic components of
different devices and then asserting whether they are spy cam-
eras, and the former is decisive to the detection. Thus we first
emulate a scenario where there are multiple devices equipped
with the same DDR memory in a computer room with 30 per-
sonal computers (PCs). By starting different number of PCs,
we evaluate how many devices can be successfully identified
by separating and classifying their EMR harmonic compo-
nents. Figure 23 shows that, when the number of devices
increases to 30, the separation accuracy of ESauron remains
at 90%, while the separation accuracy of EarFisher is only
56%. Because EarFisher does not consider the aliasing of
harmonic components from different devices at all, the sep-
aration capability of EarFisher is limited to around 15. It is
worth noting in practical applications, the number of devices
that ESauron can accurately separate is much larger than 15,
because of most devices in a deployment location usually use
different DDR memory products, producing EMRs with dif-
ferent center frequency, such as DDR2-1600’s 800 MHz and
DDR3-1700’s 850 MHz. ESauron can easily separate these
devices by channel hopping.
Since the time cost for successfully separating multiple de-
vices is also critical to ESauron’s performance on spy camera
detection. We define the time from the collecting of the first
EMR signals to successfully separate all devices’ harmonic
components as ”Separating time”. Figure 24 shows when
there are no more than 15 devices, ESauron can successfully
separate 99% harmonic components within 3 second.
On that basis, we set 15 cameras at the same time to differ-
ent locations in each of the deployment locations, and evalu-
ate the average detection rate. Figure 19 shows that the multi-
camera detection rate is similar to that of single-camera de-
tection under a single stimulus. Figure 21 shows after only
4 stimuli in all deployment locations, all the deployed spy
cameras (100%) can be successfully detected.
0 25% 50% 75% 95%
The degree of aluminum wrapping
0
7
14
21
28
35
Distance(m)
DDR2 DDR3
Figure 25: Impact of aluminum
sheet’s coverage on detection dis-
tance.
1 2 3
Layers
0
7
14
21
28
35
Distance(m)
Carton
Window
One-way mirror
Concrete wall
Figure 26: Influence of varying
hiding conditions on detection dis-
tance.
5.3.2 Detection distance
We define the detection distance as the maximum distance
at which ESauron can detect the camera over several rounds
of stimulation. Considering the many methods an adversary
may employ to prevent spy cameras from being spotted, we
evaluate the EMR detection distance in several extreme sit-
uations. First, we emulate an scenario where the adversary
packages the camera body to prevent EMR leakage. We cover
the spy camera housing with an aluminum sheet, and gradu-
ally increase the coverage by changing the size of the sheet.
The aluminum sheet in our experiments comes from the cas-
ing of a Coke can. Figure 25 shows the effect on the EMR
detection distance. We observe that when the coverage is less
than 50%, the detection distance decreases, and the variance
increase. This is because the aluminum sheet reduces elec-
tromagnetic radiation in some directions while strengthening
radiation in other directions. When the coverage is increased
to 95%, the detection distance decreases significantly but re-
mains above 2 meters. Note that 100% metal coverage is im-
possible since the lens area has to be exposed.
The spy camera can also be hidden and retrofitted in a va-
riety of ways. For example, it can be hidden in a carton box.
Spy cameras can also be deployed outside windows to mon-
itor rooms. The processing unit can be decoupled from the
lens unit (linked by a cable), and hidden inside a concrete
wall to shield the EMR signals. In a bathroom, the camera
can even be deployed behind a one-way mirror.
We evaluate the effects of cartons, outside windows, one-
way mirrors, and concrete walls on the detection distance,
respectively. Figure 26 shows that the carton (around 5 mm
thick) does not affect the detection distance. As the number
of layers of the windows (5 mm thick each) and the one-way
mirror (12 mm thick each) increases, the detection distance
decreases slightly. A concrete wall (25 cm thick) has the most
significant impact on the detection distance, and can reduce
the detection distance to 14 m. A double-layer concrete wall
further reduces the distance to 6 m. Three layers of concrete
walls can effectively mask the EMR signals.
Table 2: Detection distance (m).
Shell Type ESauron CamRadar
Plastic 30.6 0.7
Metal 11.2 0.2
Comparison with CamRadar. We have also conducted
an evaluation of the detection distance for both ESauron and
CamRadar using the same experimental setup. The detection
distances for ESauron and CamRadar are listed in Table 2.
Specifically, we consider two scenarios where the opponent
encapsulates the camera body to prevent electromagnetic ra-
diation (EMR) leakage, using either a plastic case or a metal
case. In the case of a plastic housing, ESauron achieves a
detection distance of 30.6m, while CamRadar only achieves
a detection distance of 0.7m. When the housing is made of
metal, ESauron has a detection distance of 11.2m, whereas
CamRadar only reaches 0.2m.
It is important to note that CamRadar relies on detecting
electromagnetic interference from analog-to-digital convert-
ers (ADCs) in cameras to identify hidden cameras. This limi-
tation restricts CamRadar’s detection range to less than 1 me-
ter, as ADC emissions tend to be relatively weak. In contrast,
our proposed solution focuses on capturing memory EMR
from real-time encoding workloads, which exhibit signifi-
cantly stronger emissions. This enables ESauron to achieve
detection ranges beyond 10 meters in most cases.
0 50 100 150 200
Light Level(Lux)
0
25
50
75
100
Percentage(%)
One stimuli
Two stimuli
Three stimuli
Figure 27: Detection performance
under different light levels.
1 2 3 4 5 6
Stimulus Round
0
20
40
60
FNR(%)
Moving Objects
Auto turning Lens
Outside Window
Figure 28: False negative rate in
different conditions.
5.3.3 Impact of lighting conditions
We test ESauron at different times of the day with different
ambient light intensities which are measured using a smart-
phone light sensor. Figure 27 shows the detection perfor-
mance of ESauron at 5 ambient light levels. As the intensity
of ambient light increases, the detection rate of ESauron de-
creases from 76% to 65% under a single stimulus. This is
because strong ambient light can weaken the spy camera’s
sensitivity to the intentional stimulus by turning on/off room
light. Even though, the increase of stimulus rounds can com-
pensate for the impact of lighting conditions. Results show
even with a light intensity of 200 Lux, the detection rate can
be up to 98% after three rounds of stimulation.
5.3.4 False negative rate
When an intentional stimulus can not trigger an obvious re-
sponsive memory EMR pattern, it possibly causes the false
negative rate (FNR). In our experiments, we observe three
extreme situations can bring false negative detection: (1) Ex-
isting moving objects within spy camera’s monitoring view;
(2) Refactoring an automatic fine tuning mode for the camera
lens by the adversary; and (3) Spy camera deployed outside
a glass window that can be affected by the outdoor situation.
Under these extreme situations, the spy camera’s memory ac-
tivities can possibly and coincidentally occur at the same time
of EMR sensing, bringing non-causal EMRs pattern and lead-
ing to false negative results. By emulating the three scenar-
ios, we repeat ESauron’s spy camera detection mechanism
more than 100 times under each scenario. Figure 28 shows
the FNR of ESauron after different round of stimulus. All
three extreme situations have high FNR (more than 40%) be-
cause of the non-causal EMRs pattern caused by other irrele-
vant activities. Even though, due to the picture estimation of
advanced coding techniques, ESauron remains robust to these
extreme situations after multiple stimulus rounds. As shown,
after only 5 rounds of stimulus, the FNR is close to 0. The
results demonstrate that ESauron has good robustness even
in extreme situations. With the increase of stimulus round,
ESauron can reliably detect spy cameras.
5.4 Camera Location Inference Accuracy
We conducted localization experiments in the above 4 repre-
sentative environments. In the hotel room, spy cameras are
placed in five fixed locations: the upper left/corners of the
wall, the headboard, the bedside table, and the opposite side
of the bed. In the office and conference room, spy cameras
are installed in the following locations: two sockets, on top
of curtains, in the upper left/right corners of walls. In the
bathroom, the cameras are hidden in the lampshades and the
upper left/right corners of the walls. We tested 13 spy cam-
eras in 10 trials for each situation. Positioning is determined
to be successful when there is a spy camera within 0.5 me-
ters of ESauron’s final estimated location. For each trial, we
calculate the localization time and the positioning distance
efficiency for different rooms.
Hotel Bath Office Conf
0
5
10
15
20
25
30
35
Localization Time(s)
Figure 29: Localization time in
different environments.
Hotel Bath Office Conf
0
20
40
60
80
100
Distance Efficiency(%)
Figure 30: Positioning distance ef-
ficiency.
We successfully positioned the spy camera in all trials.
From the results in Figure 29, we found that the bathroom
has the short localization time, and the positioning task can
be completed in as fast as 4.1 seconds. But due to multi-
path, it takes 16.7 seconds in the slowest bathroom case. In
the conference room (the largest), ESauron still completes the
task in 32.3 seconds. From Figure 30, we observe that the dis-
tance efficiency of the conference room is as high as 95.3%.
In larger room types, ESauron is more efficient. In all room
types, the efficiency of ESauron exceeds 79.7%.
6 Related Work
Detecting cameras by identifying light reflection and
EMI. Prior research has shown that, by illuminating a sus-
picious place with laser or flashlight, hidden cameras can be
pinpointed based on the tiny glint of the lens [32]. Similarly, a
ToF sensor can reveal the location of lens [33], since the lens
causes a sharp increase ToF along the depth direction. These
approaches assume that the users are aware of the approxi-
mate location of the cameras and can shed light towards the
lens, which may not be easily satisfied in practice. Besides,
these methods are cumbersome to use and require signifi-
cant user involvement. Alternatively, [34] employs a smart-
phone’s magnetometer to sense the changes in electromotive
force, and then infer the existence of spy cameras. However,
all electronic devices can cause the change in electromotive
force. Thus to search out a spy camera, the user must scru-
tinize the entire private space, which requires a meticulous
scanning process while no guarantee that the detected elec-
tronic device is a spy camera.
Traffic analysis for wireless-connected cameras. Infor-
mation leakage from wireless cameras has been investigated
in prior research [35, 36, 13, 37, 14]. It is well established
that scene variations (e.g., sharp change in lighting condi-
tions) may modulate the video codec workload and hence
the data traffic from a wireless camera. Exploiting such phe-
nomenon, [12] further pinpoints the camera location. While
these techniques are promising, they only work for wireless
cameras, whereas a significant number of hidden cameras are
either wired or store data to a local memory card. The key
difference is that ESauron can accurately detect both wireless
and wired spy cameras by leveraging the leakage of memory
EMR signals and can quickly pinpoint cameras’ locations.
EM side-channels. Recent research also leveraged the
EM side channels of ADC, CPU and memory for attestation
[38, 18], memory profiling [39, 15], and malware detection
[40, 41, 42, 17]. Among them, EarFisher [15], Memscope
[16], DeHiREC [17] and CamRadar [18] are the most relevant
to ESauron. EarFisher and Memscope explored the possibil-
ity of exploiting memory EMR to detect wireless eavesdrop-
pers, opening up new possibility of detecting stealthy elec-
tronic device with leaked EMR signals. Based on EarFisher,
DeHiREC and CamRadar respectively leveraged the EMRs
sourcing from the ADC to detect voice recorder and spy cam-
era.
Although Memscope observed the negative impact of dy-
namic traits (frequency drift) of memory EMRs, rather than
harnessing this feature to enhancing continuous tracking, it
bypasses the dynamic traits by only leveraging stable har-
monic peak interval to identify memory devices. Due to the
ignorance of the critical dynamic traits of memory EMRs in
camera devices, existing works are ineffective in distinguish-
ing and continuously tracking the time-varying EMRs from
even a single device, not to mention common scenarios de-
ployed with multiple cameras probably of the same model.
Moreover, due to the power of the ADC is much lower than
the power of the memory, CamRadar and DeHiREC’s detec-
tion range is limited within 1 meter, thus a user has to carry
CamRadar and scrutinize the entire private space, requiring
a slow and laborious sweep, bringing insurmountable hurdle
for device identification and localization when spy devices
are deployed in high places. Due to lack of thorough charac-
terizing on memory EMR from camera devices, the inability
to continuously differentiate devices of the same model, and
lack of EMR-based positioning capability, existing works are
still far from effective hidden camera detection in real scenar-
ios.
Unlike these methods, ESauron features a new paradigm
that actively stimulates the memory EMR of hidden cameras
and pinpoint their locations. Moreover, based on the memory
clock spectrum, ESauron innovates a signal processing chain
to not only extract weak memory EMRs under poor signal
conditions, but also distinguish and track individual memory
EMRs when multiple devices coexist in a crowded environ-
ment.
Device Localization. Wireless indoor localization has
been well explored in the past decade. Early work used signal
strength fingerprinting or model-driven methods [43, 44, 45].
Angle of Arrival (AoA)[46, 47] or Time of Flight (ToF) [48]
can further improve the spatial resolution. They require so-
phisticated receiver hardware or explicit synchronization with
the transmitter. In comparison, ESauron adopts a received
signal strength (RSS) based iterative-approximation search
algorithm to heuristically direct the receiver towards the spy
camera. Due to their relatively low frequency, the EMRs are
less vulnerable to multipath and shadowing effects. On this
basis, ESauron can continuously trigger the stimulus while
the receiver moves towards the locations with an increasing
RSS, until it approach the spy camera.
7 Discussions
ESauron’s detection range is up to 20 meters, which applies to
the majority of scenarios and outperforms the COTS camera
detection methods, such as LAPD [33] 0.45-1.5m, E-Eye [37]
0.2m, and CamRadar [18] 1m. This significant advantage is
mainly attributed to ESauron’s unique techniques tailored for
camera memory EMR, including the harmonic folding algo-
rithm to extract weak EMR signals and the device fingerprint-
ing to separate mixed EMRs. These innovations address the
limitations of previous works that fail to consider memory
EMR’s critical traits.
Limitations. ESauron still has certain limitations: i) Stim-
ulus restriction. ESauron relies on active stimulation which
may not always be feasible, especially when the user has no
control over the target environment. ii) Inapplicable to de-
tect emissions from cameras in some smartphones. The lat-
est smartphones employ low-power DDR techniques [49][50]
and integrate Faraday cages internally to mitigate electromag-
netic radiation (EMR) leakage [51]. The combination of the
two measures significantly increase difficulty to detect smart-
phone cameras’ memory EMRs using the current ESauron
prototype. Based on ESauron, we will further study the char-
acteristics of smartphone camera and try to detect its activ-
ities in the future. iii) Detection object limitation. Many
low-power IoT devices do not use DRAM, hence the de-
tection of such-kind IoT devices is beyond the capability of
ESauron. iv) Deficiency in portability. As a prototype sys-
tem, ESauron requires dedicated sensing hardware and is not
easy to carry. The miniaturization of ESauron such as host-
ing our system on Raspberry Pi (PiSDR) to replace laptop and
miniaturize ESauron system, and using a customized low-
cost USRP (RTLSDR) to replace B210 for cost reduction,
remains a work in progress. v) Antenna Limitations. The log-
periodic antenna have some directionality, which could cause
false negatives when the radiation direction is not aligned
with the antenna orientation. By using ESaron to detect spy
cameras, we can mitigate such errors by turning the antenna
to change its direction to cover 360-degree. Furthermore,
cameras emit EMR in complex electromagnetic patterns, not
just in a single direction. Therefore, even if the main lobe is
misaligned, other side lobes can still be captured.
Addressing these limitations would further enhance
ESauron’s applicability. On the whole, ESauron represents
an important step towards protecting personal privacy against
hidden spy cameras. The proposed techniques open up new
capabilities to detect cameras in a generalized manner. The
results clearly demonstrate the feasibility of exploiting in-
evitable memory EMR leakage for spy camera detection,
which was not shown before.
Noting that compared with log-periodic antenna, Yagi an-
tenna is with smaller size. Based on our study on the spectral
characteristics of camera’s memory EMRs in this work, we
plan to work on miniaturize ESauron system in future work.
We are likely to use a customized Yagi antenna in the minia-
turized system to replace the log-periodic antenna.
Potential problem of ESauron. While our system,
ESauron, aims to empower users to detect hidden recording
devices, we acknowledge that its detection capabilities could
inadvertently result in privacy violations if misused. In fact,
ESauron could potentially introduce a new privacy attack vec-
tor, as hackers could exploit it to infer users’ activity routines
within private locations.
8 Conclusion
Privacy protection in indoor environment has been an im-
portant but unsolved problem. In this paper we propose
ESauron, which uses the leaked memory EMRs to detect spy
cameras and pinpoint their location. We implemented and
evaluated ESauron under various representative indoor sce-
narios, which demonstrates ESauron’s effectiveness and ro-
bustness. We consider ESauron as a first exploration to de-
tect and pinpoint all kinds of hidden spy cameras, including
wireless/wire-connected and storage-based off-line devices.
Acknowledgments
We appreciate the shepherd’s efforts and all the anony-
mous reviewers’ insightful and constructive suggestions.
This work was partially supported by National Key
Research and Development Program of China under
grant No. 2023YFB3001805, the NSFC under grants
No. 62372166, No. 62072167, No. 62232007, No. 62202150,
and No. U20A20181, Hunan Provincial Natural Science
Foundation of China under grant No. 2023JJ30164, Excel-
lent Youth Fund, and Fundamental Research Funds for the
Central Universities.
References
[1] Time. Australian police charge tourist over spycam case
at a bondi beach hostel, 2019.
[2] Nypost. Does your hotel or airbnb come with a hidden
camera?, 2022.
[3] Ksat. Investigators uncover more than 2,100 images in
growing hill country hidden camera case, 2022.
[4] Airbnb. Survey: Do airbnb guests trust their hosts?,
2019.
[5] Wizcase. Risk: Is this your webcam? you’re being
watched, 2019.
[6] CBC. We hired ethical hackers to hack a family’s smart
home — here’s how it turned out, 2018.
[7] Consumerreports. How to protect yourself from camera
and microphone hacking, 2019.
[8] Stanislaw Piasecki, Lachlan Urquhart, and Derek
McAuley. Defence against the dark artefacts: Smart
home cybercrimes and cybersecurity standards. Com-
put. Law Secur. Rev., 42:105542, 2021.
[9] Sriram Sami, Sean Rui Xiang Tan, Bangjie Sun, and Jun
Han. Lapd: Hidden spy camera detection using smart-
phone time-of-flight sensors. In Proceedings of the 19th
ACM Conference on Embedded Networked Sensor Sys-
tems, SenSys ’21, page 288–301, New York, NY, USA,
2021. ACM.
[10] Akash Deep Singh, Luis Garcia, Joseph Noor, and
Mani B. Srivastava. I always feel like somebody’s sens-
ing me! A framework to detect, identify, and localize
clandestine wireless sensors. In 30th USENIX Security
Symposium, USENIX Security, pages 1829–1846, Vir-
tual Event, 2021. USENIX Association.
[11] Yushi Cheng, Xiaoyu Ji, Tianyang Lu, and Wenyuan
Xu. Dewicam: Detecting hidden wireless cameras via
smartphones. In Proceedings of the 2018 on Asia Con-
ference on Computer and Communications Security,
ASIACCS ’18, page 1–13, New York, NY, USA, 2018.
ACM.
[12] Yan He, Qiuye He, Song Fang, and Yao Liu. Mo-
tioncompass: Pinpointing wireless camera via motion-
activated traffic. In Proceedings of the 19th Annual
International Conference on Mobile Systems, Applica-
tions, and Services, MobiSys ’21, page 215–227, New
York, NY, USA, 2021. ACM.
[13] Tian Liu, Ziyu Liu, Jun Huang, Rui Tan, and Zhen
Tan. Detecting wireless spy cameras via stimulating
and probing. In Proceedings of the 16th Annual Inter-
national Conference on Mobile Systems, Applications,
and Services, MobiSys ’18, page 243–255, New York,
NY, USA, 2018. ACM.
[14] Rahul Anand Sharma, Elahe Soltanaghaei, Anthony
Rowe, and Vyas Sekar. Lumos: Identifying and localiz-
ing diverse hidden iot devices in an unfamiliar environ-
ment. In 31st USENIX Security Symposium, USENIX
Security 2022, Boston, MA, USA, August 10-12, 2022,
pages 1095–1112. USENIX Association, 2022.
[15] Cheng Shen and Jun Huang. Earfisher: Detecting wire-
less eavesdroppers by stimulating and sensing memory
EMR. In 18th USENIX Symposium on Networked Sys-
tems Design and Implementation, NSDI 2021, April 12-
14, 2021, pages 873–886. USENIX Association, 2021.
[16] Cheng Shen, Jun Huang, Guangyu Sun, and Jingshu
Chen. Electromagnetic fingerprinting of memory heart-
beats: System and applications. 6(3), sep 2022.
[17] Ruochen Zhou, Xiaoyu Ji, Chen Yan, Yi-Chao Chen,
Chaohao Li, and Wenyuan Xu. Dehirec: Detecting hid-
den voice recorders via adc electromagnetic radiation.
In 2023 IEEE Symposium on Security and Privacy, SP
’23, pages 658–673, San Francisco, CA, USA, 2023.
IEEE.
[18] Ziwei Liu, Feng Lin, Chao Wang, Yijie Shen, Zhongjie
Ba, Li Lu, Wenyao Xu, and Kui Ren. Camradar: Hidden
camera detection leveraging amplitude-modulated sen-
sor images embedded in electromagnetic emanations.
Proceedings of the ACM on Interactive, Mobile, Wear-
able and Ubiquitous Technologies, 6(4):1–25, 2023.
[19] AMD. Develop with amd, 2018.
[20] James Clerk Maxwell. A treatise on electricity and mag-
netism, volume 1. Clarendon press, 1873.
[21] Robert Callan, Alenka Zaji
´
c, and Milos Prvulovic. Fase:
Finding amplitude-modulated side-channel emanations.
In Proceedings of the 42nd Annual International Sym-
posium on Computer Architecture, ISCA ’15, page
592–603, New York, NY, USA, 2015. ACM.
[22] Takayuki Daimon, Hiroshi Sadamura, Takayuki Shin-
dou, Haruo Kobayashi, Masashi Kono, Takao Myono,
Tatsuya Suzuki, Shuhei Kawai, and Takashi Iijima.
Spread-spectrum clocking in switching regulators for
EMI reduction. IEICE Trans. Fundam. Electron. Com-
mun. Comput. Sci., 86-A(2):381–386, 2003.
[23] Cornelis D. Hoekstra. Frequency modulation of sys-
tem clocks for emi reduction. Hewlett-Packard Journal,
48(4):101–101, 1997.
[24] Boualem Boashash. Time-frequency signal analysis and
processing: A comprehensive reference. Signal Pro-
cessing, 2003.
[25] David H. Staelin. Fast folding algorithm for detec-
tion of periodic pulse trains. Proceedings of the IEEE,
57(4):724–725, 1969.
[26] Quan Pan, Lei Zhang, Guanzhong Dai, and Hongcai
Zhang. Two denoising methods by wavelet transform.
IEEE Trans. Signal Process., 47(12):3401–3406, 1999.
[27] Jun-Young Park, Dae-Hwan Yun, Seong-Yeon Kim, and
Yang-Kyu Choi. Suppression of self-heating effects in
3-d v-nand flash memory using a plugged pillar-shaped
heat sink. IEEE Electron Device Letters, 40(2):212–
215, 2019.
[28] Kentaro Nishimori, Keizo Cho, Yasushi Takatori, and
Toshikazu Hori. Automatic calibration method using
transmitting signals of an adaptive array for tdd sys-
tems. IEEE Transactions on Vehicular Technology,
50(6):1636–1640, 2001.
[29] Donald J. Berndt and James Clifford. Using dynamic
time warping to find patterns in time series. In Knowl-
edge Discovery in Databases: Papers from the 1994
AAAI Workshop, pages 359–370, Seattle, Washington,
USA, 1994. AAAI Press.
[30] Sws Gosset. The probable error of a mean. Biometrika,
6(1):1–25, 1908.
[31] Shilin Zhu, Chi Zhang, and Xinyu Zhang. Automat-
ing visual privacy protection using a smart led. In Pro-
ceedings of the 23rd Annual International Conference
on Mobile Computing and Networking, MobiCom ’17,
page 329–342, New York, NY, USA, 2017. ACM.
[32] LLC Logan Security Consulting. Pimall, 1993.
[33] Sriram Sami, Sean Rui Xiang Tan, Bangjie Sun, and Jun
Han. Lapd: Hidden spy camera detection using smart-
phone time-of-flight sensors. In Proceedings of the 19th
ACM Conference on Embedded Networked Sensor Sys-
tems, SenSys ’21, page 288–301, New York, NY, USA,
2021. ACM.
[34] LLC Logan Security Consulting. Spy hidden camera
detector, 2017.
[35] Christopher Wampler, A. Selcuk Uluagac, and Ra-
heem A. Beyah. Information leakage in encrypted IP
video traffic. In 2015 IEEE Global Communications
Conference, pages 1–7, San Diego, CA, USA, 2015.
IEEE.
[36] Ben Nassi, Raz Ben-Netanel, Adi Shamir, and Yuval
Elovici. Drones’ cryptanalysis - smashing cryptogra-
phy with a flicker. In 2019 IEEE Symposium on Secu-
rity and Privacy, pages 1397–1414, San Francisco, CA,
USA, 2019. IEEE.
[37] Zhengxiong Li, Zhuolin Yang, Chen Song, Changzhi Li,
Zhengyu Peng, and Wenyao Xu. E-eye: Hidden elec-
tronics recognition through mmwave nonlinear effects.
In Proceedings of the 16th ACM Conference on Em-
bedded Networked Sensor Systems, SenSys ’18, page
68–81, New York, NY, USA, 2018. ACM.
[38] Nader Sehatbakhsh, Alireza Nazari, Haider Khan,
Alenka Zajic, and Milos Prvulovic. Emma: Hard-
ware/software attestation framework for embedded sys-
tems using electromagnetic signals. In Proceedings of
the 52nd Annual IEEE/ACM International Symposium
on Microarchitecture, MICRO ’52, page 983–995, New
York, NY, USA, 2019. ACM.
[39] Nader Sehatbakhsh, Alireza Nazari, Alenka G. Zajic,
and Milos Prvulovic. Spectral profiling: Observer-
effect-free profiling by monitoring EM emanations. In
49th Annual IEEE/ACM International Symposium on
Microarchitecture, MICRO 2016, pages 59:1–59:11,
Taipei, Taiwan, 2016. IEEE Computer Society.
[40] Yi Han, Sriharsha Etigowni, Hua Liu, Saman Zonouz,
and Athina Petropulu. Watch me, but don’t touch me!
contactless control flow monitoring via electromagnetic
emanations. In Proceedings of the 2017 ACM SIGSAC
Conference on Computer and Communications Secu-
rity, CCS ’17, page 1095–1108, New York, NY, USA,
2017. ACM.
[41] Alireza Nazari, Nader Sehatbakhsh, Monjur Alam,
Alenka Zajic, and Milos Prvulovic. Eddie: Em-based
detection of deviations in program execution. In Pro-
ceedings of the 44th Annual International Symposium
on Computer Architecture, ISCA ’17, page 333–346,
New York, NY, USA, 2017. ACM.
[42] Zhenkai Zhang, Zihao Zhan, Daniel Balasubrama-
nian, Bo Li, P
´
eter V
¨
olgyesi, and Xenofon D. Kout-
soukos. Leveraging EM side-channel information to de-
tect rowhammer attacks. In 2020 IEEE Symposium on
Security and Privacy, S&P 2020, pages 729–746, San
Francisco, CA, USA, 2020. IEEE.
[43] Rizanne Elbakly and Moustafa Youssef. A robust zero-
calibration rf-based localization system for realistic en-
vironments. In 13th Annual IEEE International Con-
ference on Sensing, Communication, and Networking,
SECON 2016, pages 1–9, London, United Kingdom,
2016. IEEE.
[44] Dian Zhang, Yunhuai Liu, Xiaonan Guo, Min Gao, and
Lionel M. Ni. On distinguishing the multiple radio paths
in rss-based ranging. In Proceedings of the IEEE IN-
FOCOM 2012, pages 2201–2209, Orlando, FL, USA,
2012. IEEE.
[45] Zhijing Li, Zhujun Xiao, Yanzi Zhu, Irene Pat-
tarachanyakul, Ben Y. Zhao, and Haitao Zheng. Ad-
versarial localization against wireless cameras. In Pro-
ceedings of the 19th International Workshop on Mo-
bile Computing Systems & Applications, HotMo-
bile ’18, page 87–92, New York, NY, USA, 2018. ACM.
[46] Kun Qian, Chenshu Wu, Yi Zhang, Guidong Zhang,
Zheng Yang, and Yunhao Liu. Widar2.0: Passive hu-
man tracking with a single wi-fi link. In Proceedings
of the 16th Annual International Conference on Mobile
Systems, Applications, and Services, MobiSys ’18, page
350–361, New York, NY, USA, 2018. ACM.
[47] Yue Zheng, Yi Zhang, Kun Qian, Guidong Zhang, Yun-
hao Liu, Chenshu Wu, and Zheng Yang. Zero-effort
cross-domain gesture recognition with wi-fi. In Pro-
ceedings of the 17th Annual International Conference
on Mobile Systems, Applications, and Services, Mo-
biSys ’19, page 313–325, New York, NY, USA, 2019.
ACM.
[48] Daniel Halperin, Wenjun Hu, Anmol Sheth, and David
Wetherall. Predictable 802.11 packet delivery from
wireless channel measurements. In Proceedings of
the ACM SIGCOMM 2010 Conference on Applications,
Technologies, Architectures, and Protocols for Com-
puter Communications, pages 159–170, New Delhi, In-
dia,, 2010. ACM.
[49] JEDEC. Mobile memory: Lpddr, wide i/o, 2023.
[50] Micron. Micron and mediatek first to validate lpddr5x,
2021.
[51] Jungho Jin, Choongpyo Jeon, Byounggug Min, Heon-
sang Lim, and Jungki Kim. Effect of contact
resistance on conformai shield package for mobile
dram. In 2018 IEEE International Symposium on
Electromagnetic Compatibility and 2018 IEEE Asia-
Pacific Symposium on Electromagnetic Compatibility
(EMC/APEMC), pages 341–344, 2018.
A Frequently Used Symbols
Table 3 lists the frequently used symbols and the correspond-
ing descriptions in this paper.
Algorithm 1: ESauron’s folding scheme.
Input : R, G
f
0
, G
f
m
f
0
Output: G
f
m
1 for each f
0
2 G
f
0
do
2 Initialize P
f
c
m
[i] ;
3 for each f
c
m
2 G
f
m
f
0
do
4 P
f
c
m
[i]=
d
N/ f
c
m
e
1
Â
j=0
R[i + j · f
c
m
];
5 end
6 Find the max in P
f
c
m
[i], denote it as f
m
;
7 Put f
m
inte set G
f
m
;
8 end
9 return G
f
m
;
Table 3: Symbol Description.
Symbols Description
V
clk
(t) The EMR energy.
V
ssc
(t) The EMR energy after spread spectrum
clock (SSC) techniques.
f
0
The center frequency of clock.
f
m
The modulation frequency of clock.
D f The peak frequency offset of clock.
f
nz
The frequency of the i-th non-zero
memory EMR.
G
f
0
The set of potential memory center
frequency f
0
.
G
f
m
The set of harmonic components
with the feasible f
m
.
R The series of N frequency samples.
f
c
m
The harmonic components separated
by the same frequency samples offset.
kP
T
[i]k The position of the folding peak.
a
k
The detail coefficients.
b
k
The approximate coefficients.
sc
i
f
m
The i-th harmonic component in the
group G
f
m
.
µ The mean of the two compared sets.
s The variance of the two compared sets.
RSS The received signal strength.
B The Folding Algorithm
Algorithm 1 outlines the folding algorithm used to extract
harmonic components from the electromagnetic radiation
(EMR) spectrum. The algorithm takes three inputs: the series
of frequency samples from the captured EMR signal (R), the
set of potential memory center clock frequencies (G
f
0
), and
the set of feasible modulation interval values (G
f
m
f
0
) derived
from Gf
0
. It produces the set of detected modulation intervals
(G
f
m
) that identify distinct memory emanation sources.
The algorithm proceeds by iterating through each candi-
date center frequency f
0
from the set G
f
0
(Line 1). For each
assumed f
0
, it attempts to fold the EMR spectrum R using
different modulation interval values f
c
m
from the associated
set G
f
m
f
0
(Lines 3). The folding operation involves summing
the amplitude samples within windows of width f
c
m
(Lines 4),
thereby aggregating harmonic components separated by that
interval. The modulation interval f
m
resulting in the maxi-
mum folded amplitude peak is selected as the preferred value
for a detected device (Line 6). Subsequently, f
m
is added to
the output set Gf
m
for further analysis (Line 7). Once all
potential f
0
values have been scanned, the algorithm returns
the final set G
f
m
containing the extracted modulation intervals
(Line 9).
Through iterative folding of the EMR spectrum using fea-
sible intervals based on memory clock models, the algorithm
proves efficient in extracting harmonic patterns from multiple
devices even at low signal-to-noise ratios. The resulting set
G
f
m
forms the basis for distinguishing and tracking individual
memory EMR sources.
