> root@recon:~# exiftool -GPSLatitude -GPSLongitude -CreateDate -Model *.jpg | grep 'GPS\|Create' | head -20<span class="cursor-blink">_</span>_
Last month, we examined how a construction firm's survey drones could be attacked — their radio links intercepted, their commands injected, their flight data stolen. That article focused on the drone as a system to be compromised: the aircraft, the controller, the data pathway.
This article asks a different question. Not can someone attack the drone? but what has the drone already collected?
A corporate drone does not merely capture the photographs it is instructed to take. It passively accumulates data with every flight, every connection, and every minute it is powered on. GPS logs record every location it has visited. Wi-Fi probe requests and cached credentials record every network it has encountered. EXIF metadata in photographs records timestamps, coordinates, camera parameters, and device identifiers. Video footage captures not just the intended subject but everything within the camera's field of view — personnel, vehicles, security infrastructure, adjacent properties, access points, and operational patterns.
This data persists on the device long after the marketing team has extracted the photographs they wanted. It accumulates over months and years. And when an attacker gains access to the device — physically or via its network interfaces — they inherit an intelligence archive that the organisation never intended to create.
The client was a commercial property development company. They used a single consumer-grade drone — purchased by the marketing director — to capture aerial photographs and video for property brochures, planning applications, investor presentations, and social media content. The drone was operated by a member of the marketing team who held a CAA flyer ID and operator ID. It was stored in the marketing department's office when not in use.
We had been engaged to conduct a broader security assessment of the organisation. During scoping, the client mentioned the drone in passing — 'we have a drone for marketing photos, but that's not really IT, is it?' We asked to include it. They agreed, somewhat puzzled by the request.
The assessment was conducted with the drone grounded and the device physically available for examination. We did not conduct any RF testing or flight-related assessment on this engagement — the focus was entirely on the data the device had accumulated and the network services it exposed.
The drone was a popular consumer quadcopter — a model widely used for corporate photography and videography. Like most consumer drones, it exposed a Wi-Fi access point for direct connection from a mobile device or laptop. The access point activated automatically when the drone was powered on.
As we discussed in our previous UAV article, these Wi-Fi interfaces frequently use pre-shared keys derived from the device serial number or a default documented in the user manual. This device was no different.
The device contained eighteen months of accumulated data. Six thousand two hundred and fourteen photographs and video files totalling 94.7 GB. One hundred and eighty-seven flight logs. Thirty-eight panoramic composites. Firmware files. Configuration data. Cached network information. The marketing team extracted their required photographs after each shoot via the manufacturer's mobile application, but they never deleted the source files from the aircraft. The SD card — a 256 GB high-endurance model — had simply accumulated data since the drone was purchased.
Every flight the drone had ever made was recorded in the LOG directory. Each flight log contained a second-by-second record of the aircraft's GPS position, altitude, speed, heading, battery state, and control inputs. We parsed the one hundred and eighty-seven flight logs and plotted the GPS coordinates.
The flight logs mapped the complete operational footprint of the client's property development portfolio. Twenty-three unique locations, including five major development sites, the client's own office, and — because the drone pilot occasionally practised flying at home — the pilot's residential address.
For a property development company, this information is commercially sensitive. Development sites that have not yet been publicly announced. Visit frequencies that indicate project priority and timeline. The existence and location of sites under due diligence — where the company is considering acquisition but has not yet committed. A competitor with access to these flight logs would have a comprehensive map of the firm's development pipeline.
The pilot's home address, exposed through recreational flights logged on the same device used for commercial operations, represents a personal data exposure that the pilot had no awareness of.
Every photograph captured by the drone contained EXIF metadata — embedded data fields recording the conditions of capture. EXIF data is standard in digital photography, but drone photography produces particularly rich metadata because the aircraft has sensors that consumer cameras do not: a high-precision GNSS receiver, a barometric altimeter, a compass, and an inertial measurement unit.
Every photograph recorded the aircraft's precise GPS coordinates, altitude, camera angle, timestamp, speed, heading, and device serial number. Across 6,214 images, this metadata constituted a detailed spatial and temporal record of what the company had photographed, where, when, from what altitude, and looking in which direction.
We extracted and analysed the EXIF GPS data from the full image corpus.
| Intelligence Category | Data Source | What It Reveals |
|---|---|---|
| Site Locations | GPS coordinates across 6,214 images | Precise locations of every development site photographed over 18 months — including sites not yet publicly announced |
| Activity Timeline | Timestamps on images and flight logs | When each site was visited. Frequency of visits indicates project phase and priority. Gaps indicate stalled or abandoned projects. |
| Site Layouts | Nadir (straight-down) survey photographs | Detailed aerial views of site layouts, access roads, temporary structures, crane positions, material storage areas, and perimeter fencing |
| Security Posture | Oblique and perimeter photographs | CCTV camera positions, fencing type and condition, access gate locations, security cabin positions, and lighting coverage |
| Personnel and Vehicles | High-resolution images at low altitude | Identifiable individuals, vehicle registration plates, contractor livery, safety signage with company names |
| Adjacent Properties | Wide-angle and panoramic captures | Neighbouring buildings, residential properties, public areas captured incidentally in the frame |
The photographs captured far more than the marketing team intended. A photograph taken to show a development's progress also captured the positions of every CCTV camera on the perimeter fencing. A panoramic shot for an investor presentation also captured the registration plates of vehicles in an adjacent car park. A nadir photograph for a planning application also captured the security gate layout, the patrol route worn into the ground surface, and the locations where fencing had been repaired — indicating points of previous breach.
For an attacker planning a physical intrusion — theft of materials, plant equipment, or copper cabling, all of which are endemic on construction sites — this imagery is a reconnaissance package that would normally require days of physical observation to assemble.
The MISC directory on the aircraft's storage contained configuration files and cached data from the manufacturer's firmware. Within this data, we found a file that recorded the credentials of every Wi-Fi network the drone had connected to.
Seven Wi-Fi networks. The client's corporate wireless PSK. Their guest wireless PSK. Two construction site office Wi-Fi passwords. A hotel conference Wi-Fi password. A residential broadband PSK — likely the pilot's home network. And the pilot's personal iPhone hotspot password. All stored in plaintext on the aircraft's internal storage, accessible via anonymous FTP.
The corporate wireless PSK was the critical finding. The drone had been connected to the corporate Wi-Fi network — presumably for firmware updates or data transfer — and the pre-shared key had been cached on the device. An attacker who accessed the drone would obtain the corporate wireless key without ever approaching the building. Combined with the knowledge from our fourteenth article — that corporate WPA2-PSK keys are crackable but require proximity — the cached credential eliminates even the need for a car park visit.
The aircraft's internal storage contained plaintext pre-shared keys for seven Wi-Fi networks, including the client's corporate wireless network. Access to the drone — physically or via its Wi-Fi interface — would yield the corporate network PSK without requiring proximity to the office building.
The DCIM directory contained not only still photographs but 247 video files — recordings captured during flights for marketing purposes. The marketing team had extracted the clips they needed for their productions. The source footage remained on the device.
We reviewed a sample of the video footage to assess the intelligence value. The footage was captured in 4K resolution from altitudes between twenty and fifty metres. At these parameters, the imagery is remarkably detailed.
The final dimension of the assessment was the physical security of the device itself. The drone was stored in its manufacturer's carry case in the marketing department — an open-plan office area accessible to all staff and, during business hours, to visitors escorted to meeting rooms on the same floor.
The carry case was not locked. The SD card was accessible by pressing a release latch on the aircraft body — a two-second operation requiring no tools. The aircraft could be powered on and its Wi-Fi accessed without removing it from the case. There was no asset tag, no tamper seal, and no check-in/check-out procedure for the device.
An attacker with brief physical access — a visitor left unescorted for three minutes, a contractor working in the office area, an employee with malicious intent — could remove the SD card, copy its contents to a concealed device, and replace it. The operation would take less time than making a cup of tea. Nobody would know.
Alternatively, an attacker could simply steal the drone. A consumer quadcopter in a carry case is a compact, high-value item. Its disappearance might be attributed to misplacement before it was attributed to theft. And when it was discovered missing, the focus would be on the replacement cost of the hardware — not on the eighteen months of intelligence stored on its SD card.
| Step | Action | Data Obtained |
|---|---|---|
| 01 | Connected to aircraft Wi-Fi using serial-number-derived PSK | Network access to all embedded services (FTP, HTTP, RTSP) |
| 02 | Accessed 187 flight logs via anonymous FTP | GPS coordinates of 23 locations over 18 months; pilot's home address |
| 03 | Extracted EXIF metadata from 6,214 photographs | Site locations, visit timelines, camera angles, device identifiers |
| 04 | Recovered 7 cached Wi-Fi PSKs from configuration data | Corporate network PSK, site office credentials, personal networks |
| 05 | Reviewed video footage for intelligence content | Security infrastructure, identifiable individuals, vehicle plates, site layouts |
| 06 | Assessed physical security of device storage | SD card extractable in 2 seconds; no physical security controls |
The distinction between this article and last month's is important. Last month, we examined drones as targets for active attack — radio interception, command injection, flight control compromise. This month, we examined a drone that nobody attacked at all. The intelligence it contained was a consequence of normal, legitimate use over eighteen months.
The drone was not compromised. It was not misconfigured beyond the manufacturer's defaults. It was operated correctly, for its intended purpose, by a trained pilot. And yet it accumulated a dataset that — in the hands of a competitor, a criminal planning site theft, or an adversary targeting the organisation — constituted a comprehensive reconnaissance package.
The most impactful immediate action is establishing a post-flight wipe procedure. After every flight, the required imagery and logs should be transferred to a secure corporate system — an encrypted workstation, a controlled file share, or the BIM platform — and the SD card should be wiped. The drone should never be a long-term data store. It should be a transient capture device that is empty when it is not in active use.
The drone must never connect to the corporate Wi-Fi network. If network connectivity is required for firmware updates or data transfer, a dedicated IoT or guest network should be used — a network that provides internet access but no route to corporate resources. This prevents the corporate PSK from being cached on the device.
EXIF metadata must be stripped from images before external sharing. Marketing photographs published on websites, in brochures, or on social media should have GPS coordinates removed. Tools such as ExifTool or built-in OS features can batch-strip location data. The raw geotagged images are retained internally for operational purposes; the published versions carry no geolocation.
A Data Protection Impact Assessment (DPIA) for drone operations is a legal requirement under GDPR when processing is likely to result in a high risk to individuals' rights — which aerial photography of identifiable persons in public and private spaces may constitute. The DPIA should assess the necessity and proportionality of the data collection, identify the lawful basis for processing, define retention periods, and establish procedures for handling subject access requests relating to drone-captured imagery.
A drone is a camera with a GPS receiver, a Wi-Fi radio, and a hard drive. It is operated by a human who points it at things the organisation considers important. It records where it goes, what it sees, and which networks it encounters. And it retains all of this — indefinitely — until someone makes a deliberate decision to delete it.
Nobody on this engagement had made that decision. The drone had accumulated eighteen months of flight history, six thousand photographs, two hundred and forty-seven videos, and the plaintext Wi-Fi credentials for seven networks — including the corporate network. Not because it was misconfigured. Not because it was compromised. Because it was designed to retain data, and nobody had told it to stop.
The marketing team saw a camera. An attacker would see a reconnaissance platform. The difference is not in the device — it is in whose hands it ends up in, and what data is on it when it does.
Until next time — stay sharp, stay curious, and wipe your drone's SD card. What it remembers is more than you intended.
This article describes a UAV data assessment conducted under formal engagement with full written authorisation from the client. No flights were conducted as part of this assessment. All testing was performed on a grounded, powered-on device within the client's premises. Video footage was reviewed only to characterise the intelligence content — no personal data was extracted, stored, or processed beyond the minimum necessary to confirm the findings. Drone operations involving the capture of personal data are subject to the UK General Data Protection Regulation and the Data Protection Act 2018. All identifying details have been altered or omitted to preserve client confidentiality. Unauthorised access to computer systems is a criminal offence under the Computer Misuse Act 1990. Do not attempt to replicate these techniques without proper authorisation.
Hedgehog Security assesses the data that commercial drones accumulate — flight logs, cached credentials, photograph metadata, video intelligence, and firmware artefacts. We evaluate the physical security of the device, the data workflow from capture to delivery, and the GDPR implications of aerial imagery. Your drone is a data asset. Treat it like one.