Teardown: How the budget K18 Bug Detector works — and how to use it
Can a budget bug detector really work? When you see a gadget selling for as low as $18 (eBay) that claims to detect hidden cameras and wireless transmission devices between 1MHz and 6.5GHz, can it really do what it says? Surprisingly, with a few caveats, the answer is … Yes!
Sold under a variety of names, this detector, which combines radio frequency (RF) detection, magnetic field detection, and hidden camera detection, is generally known as the K18. While clearly mass-produced with the cheapest possible parts, this device can successfully detect most of the commonly available wireless listening devices and hidden cameras, if used properly.
But using the K18 properly relies on understanding how the devices that it can detect work and how it tries to find them. In this article, we’ll dig into principles of operation and methods of detection to gain that understanding.
What’s inside the K18?
The K18 is an exercise in min/max design. Maximum functionality from minimal, or at least minimal-cost, parts. Under the hood, there aren’t any overly specialized components. Some basic power management, a few resistors, diodes, capacitors, a coil, some buttons, a potentiometer, some LEDs, a Li-ion battery, a speaker, and a pleasant surprise!
Before doing a teardown, I imagined that some piece of custom silicon had been developed and widely shared to handle all the various sensor and output functions. Chinese manufacturers have a way of sharing IP among themselves that Bunnie Huang has termed gongkai, a similar but not identical concept to Open Source (if you’re interested, read his writeup).
But, to my delight, the chip I found at the heart of the device took me back to my beginnings in microcontroller development in the late 1980s. Looking up at me from the circuit board was a modern revision of a 44-year-old design. My first digital love, the mighty 8051.
The MCS-51, commonly referred to as the 8051, was introduced in 1980 by Intel and has been in continuous production (with enhancements) ever since. The version in the K18, the MS51FB9AE, is produced by Nuvoton. While it sports new features like onboard I2C and SPI serial communications, PWM generation, and an analog to digital converter (ADC), the code I wrote in 1989 would still run on this lovely little workhorse.
In the end, this makes tremendous sense: a commodity 8-bit microcontroller using a few discrete parts and some software instead of expensive custom silicon to read an internal ADC, a converter for radio frequency (RF) power levels, and a simple magnetic field detector (more on that below), then light up an LED bar graph and beep a piezo speaker. Simple, robust, effective, and cost effective.
This circuit design also allows the MS51 ADC, which has a max sample rate of 500ksps (kilosamples per second) to measure the power of signals operating at 6GHz, far faster than it could convert directly. By sampling the voltage level produced by the diode circuit rather than the signal itself, the speed of the microcontroller is not a limitation.
Which bugs can (and can’t) you detect?
Unless someone is spending big dollars to use custom or expensive high-end surveillance gear, the kinds of spy tech that most people would encounter are GPS trackers, listening devices, and hidden cameras. Subsets of these are what the K18 is designed to find. If the device is attached with a magnet (such as a GPS tracker hidden in a car’s wheel well) the magnetic field sensor could be used to find it. If the device is broadcasting to a remote location, the RF detector is useful. If the device uses a retroreflective CCD sensor or lens, the hidden camera tool comes into play. However, wired devices, or devices that store audio (or video) internally without broadcasting, do not fall within the detection capabilities of the K18.
Detecting radio frequency transmissions
The K18 responds to RF emissions between 1MHz and 6.5GHz. This is a huge range of frequencies that covers everything from the top of the AM radio band through much of the 5G cellular frequencies. While the K18 can detect RF energy within its range, it can’t distinguish between different frequencies, protocols, or modulation types. In other words, it can’t tell a ham radio transceiver from a Bluetooth headset. It only determines the overall level of RF energy in much the same way that an audio decibel meter tells you the sound level, but doesn’t tell you anything about which frequencies, such as bass or treble, are producing it.
Unless you’re in a Faraday cage, the world around us is constantly awash with RF signals from everything from Wi-Fi to FM radio stations to satellite transmissions, so the K18 set to its highest sensitivity will always show RF activity. Dialing the sensitivity down, or attenuating, allows it to find peaks of RF energy. The more RF activity there is in the environment, the more attenuation is required. This results in a need to be closer to the emitting device, so that the energy level of the signal is stronger due to the inverse-square law1, to find it.
The technique used by the K18 is RF peak power detection, using a diode to convert the power level of the RF signal into a voltage level that the MS51 reads with its ADC. Any undesirable low-frequency components of the signal, e.g. 60Hz from power lines, are filtered out with a low-pass inductor filter. That output is sent through a Schottky diode that cuts out all the negative parts of the wave, aka rectification. A resistor-capacitor (RC) smoothing filter then converts that set of resulting positive pulses into a clean DC voltage level by charging the capacitor during the positive peaks so that it discharges during the null sections and evens out the signal.
Determining what kind of device is emitting RF requires much more time and more complex (and expensive) equipment, such as a spectrum analyzer (see my article “Getting Started with Software Defined Radio” in Make: Volume 84. Even then it’s a challenge, as Wi-Fi and Bluetooth devices are mixing their traffic with other devices, and many devices utilize frequency hopping, various digital encoding schemes, and even encryption. In this regard, the minimalist approach taken by the K18 is a reasonable compromise.
So what can the K18 detect using its RF sensor? Surprisingly, it covers the most common parts of the radio spectrum used by commercial wireless surveillance devices.
Detecting magnetic fields
At first glance, the magnetic sensor on the K18 may appear pretty useless. But it actually serves an interesting role. Many devices, such as GPS trackers, don’t broadcast RF, they only receive signals from satellites. They serve as data loggers, storing the information on-device, and are physically retrieved rather than remotely accessed. An RF detector is useless for finding them. These devices are often hidden on the chassis of vehicles to track their drivers and include a magnetic base for easy mounting and removal.
There are three generally used methods for sensing a magnetic field. Hall effect sensors change voltage in the presence of a magnetic field. Magnetoresistive sensors change resistance. But the simplest and cheapest method is a reed switch.
When looking at low-cost commodity gadgets like the K18, it’s generally a safe bet that they’re using the cheapest tech available. For magnetic field detection, this is definitely the case. The sensor at the end of the K18 gooseneck is a reed switch — two very closely positioned thin metal leaves that bend and touch each other when a magnetic field is very close.
K13 gooseneck sensor, and the reed switch inside
I found that the sensor had to be within 1 inch of a 10cm neodymium magnet to detect it. There is no sensitivity adjustment, the leaves of the switch are either touching or they aren’t. A small LED on the end of the gooseneck lights when a field is detected. As an extremely scientific test to verify that the sensor is a reed switch, I whacked the end of the gooseneck soundly (on the theory that a brief mechanical insult would bounce the leaves of the switch together) and saw a brief flash of the LED.
Detecting retroreflection
A retroreflector is a device that reflects radiation directly back at the source, regardless of the angle at which the radiation, such as light, hits it. Even folks with no interest in optical geometry have generally seen a cat’s eye shine with an eerie glow when reflecting car headlights or a flashlight. This is because the back of the spherical feline eye has a (retro)reflective layer of tissue called the tapetum lucidum. The world’s greatest amateur scientist, Forrest M. Mims III, wrote an excellent article in Make: Volume 35 on making your own retroreflectors.
it is reflected back in the same direction.
The K18 has a ring of red LEDs surrounding a viewport with a red light filter. Any red light viewed through the port has a higher contrast than normal, making it easier to spot. By observing through the ring of LEDs it’s easier to stay in line with the light reflected directly back at the LEDs, helping you see retroreflectors — such as common digital camera sensors.
Using the K18 anti-spy detector
RF detection
To begin using the K18, attach the straight wideband “rubber duck” antenna to the SMA connector. This is the gold-colored threaded extension labeled ANT. The unit may require charging; if so, use the provided charger to top it off before going further.
Power up the K18 by turning the top knob, starting it up in RF detection mode. Full clockwise provides maximum sensitivity, lighting up the entire bar graph and eliciting a beep. This doesn’t mean you’ve detected a bug, it just means there are RF emissions around you. As noted above, unless you’re in an extremely remote place or a Faraday cage, this will almost always be the case.
Slowly turn the sensitivity knob counterclockwise until it stops beeping. Now begin the hunt! Slowly walk around the space you’re investigating, gently waving the K18 near bookshelves, vents, appliances, or any other place a bug might be hiding. If you hear a beep, something is emitting nearby. You can often determine which direction it’s in by slowly moving the K18 about.
The provided antenna is not particularly directional; it more or less receives well from all directions. However, it does receive better from the sides of the antenna than from the top or bottom. You’ll typically need to go through a repeated sequence of slightly reducing the sensitivity and narrowing your search pattern until you zero in on the device’s location.
Hidden camera detection
When hunting for hidden cameras, press the right-hand button on the front of the case labeled “GS.” This lights up the ring of LEDs on the back of the case. That’s really all the K18 itself will do for this task. The rest is up to the Mark I human eyeball.
Place the K18 up to your face so that one eye is looking through the central viewport. This operation works best in a dark room so that there are no other sources of reflected light. Slowly scan the area for a brighter-than-average spot of light. It’s likely to be very small given the size of modern digital camera sensors.
Cheaply available hidden cameras are small enough to be concealed in air vents, clocks, stuffed animals, fake electrical outlets, garden decorations, smoke detectors, scent dispensers, plants, picture frames, or almost anything else in an office, hotel room, or house. Not every reflection will be a camera, and it can take some practice to spot well-hidden devices.
Like all modes of the K18, slow, steady, and close are the key techniques to use it successfully. The broader the field of view of a hidden camera, the wider the area its sensor will retroreflect back at you. Field of view varies, so careful movement to spot the bright spot reflection (usually less than 5mm across) is needed. Cameras may also be positioned behind a plastic front, as in the clock-based camera shown here. Moving around so that the reflection of the plastic front doesn’t overwhelm the CCD reflection is helpful.
A bit of thought about what the person who hid the camera is trying to see will help narrow down the places to look. Starting your search from the most likely targets — doors, beds, etc. — is a good strategy.
Magnetic field detection
Devices like the K18 are frequently represented as effective for detecting GPS trackers. This isn’t necessarily untrue, but it’s definitely a bit of marketing hype. Granted, if the GPS tracker is broadcasting its data via cell signal, Wi-Fi, or Bluetooth, the RF detector has the potential to find it. However, many of these devices go into sleep mode when not in motion to preserve battery life. Some act only as data loggers and don’t broadcast at all.
One strategy for keeping tabs on someone’s location with a GPS tracker is to hide it in their car. Many models of GPS trackers have a builtin magnet, or offer a case with a magnet, to make discreet placement on a vehicle (and later retrieval) easy. If that’s the case, the magnetic field detector on the K18 offers a way to search for them.
After powering up the K18, press and hold the left-hand button labeled “MS.” This puts the device into magnetic field detection mode. If the gooseneck sensor isn’t attached, plug it into the three-pin aircraft connector on top and secure it with the threaded coupling. The sensor is in the middle of the bulge at the top of the gooseneck.
Since the device is a Yes/No type of detection, there is no sensitivity adjustment. Using the magnet sensor requires getting the sensor fairly close to the target. Even my 500lb-pull neodymium fishing magnet required me to be less than 3 inches away to detect it. Smaller magnets required 1 inch or less proximity. The gooseneck does make it easier to probe inside wheel wells, bumpers, etc., but slow, careful passage as close as possible is the ticket for successfully locating a magnetically mounted device with the K18.
Budget spy buster
So, is the K18 worth the price for detecting surveillance devices? Within its constraints, the answer is yes! It’s a bit of a blunt instrument, but careful usage can make up for that. There is a plethora of similarly priced devices on the market that are likely pretty close to identical under the hood, and Amazon has numerous devices at four times the price of the K18 that are unlikely to do very much more. High-end equipment in the thousands of dollars can do considerably more, but for small dollars, the potential for a bit more peace of mind is a good investment.
- Inverse-square law
When devices such as radio transmitters or light bulbs emit energy, the intensity decreases as you get farther away. This decrease happens in a very predictable way known as the inverse-square law, which states that the intensity is inversely proportional to the square of the distance. “Inversely proportional” means that the bigger the distance, the lower the intensity. The “square of the distance” means the farther away you are from the source, the more area you have to cover. This can be written as:
intensity = 1/distance2
Image: Borb, CC BY-SA 3.0, via Wikimedia Commons
Imagine you’re chewing bubble gum and blowing a bubble. The bigger the bubble, the thinner the wall becomes as it stretches to cover more area. Similarly, radio signals expand as they radiate from an antenna. That’s why the signal gets weaker as you get farther away — and stronger as you get closer to the source. ↩︎
This article appeared in Make: Vol. 91. Subscribe to support more great articles.
ADVERTISEMENT
