Full Report
The SFPD’s exposure of hours of videos from drone platform Skydio reveals how broadly it’s watching the city from above—and how the results can spill online.
Analysis Summary
# Incident Report: San Francisco Police Department Drone Video Exposure
## Executive Summary
A security misconfiguration in the San Francisco Police Department’s (SFPD) drone management infrastructure led to the public exposure of hours of aerial surveillance footage. The data, hosted on the Skydio platform, included footage of arrests, protests, and general urban monitoring, highlighting significant privacy risks associated with automated police surveillance. The exposure allowed third parties to access and record sensitive police operations that were intended for internal use only.
## Incident Details
- **Discovery Date:** July 2026 (approximate reporting date)
- **Incident Date:** Ongoing/Active at time of report (2024–2026 period)
- **Affected Organization:** San Francisco Police Department (SFPD)
- **Sector:** Government / Law Enforcement
- **Geography:** San Francisco, California, USA
## Timeline of Events
### Initial Access
- **Date/Time:** Undisclosed; discovered July 2026.
- **Vector:** Misconfigured access controls/Public URL exposure.
- **Details:** Sensitive video links hosted on the Skydio drone platform were not properly authenticated or restricted, making them accessible to any user with the direct link.
### Lateral Movement
- **Details:** N/A - The incident was not a traditional network intrusion but rather a direct exposure of cloud-stored media.
### Data Exfiltration/Impact
- **Details:** Investigative reporters and third parties obtained access to hours of footage depicting SFPD drone operations. This included tracking of human suspects, surveillance of public gatherings, and footage of arrests within the city.
### Detection & Response
- **How it was discovered:** Discovered by independent researchers and journalists (WIRED) via analysis of publicly accessible digital footprints.
- **Response actions taken:** Exposure reported to the SFPD; subsequent removal or securing of the specific video links.
## Attack Methodology
- **Initial Access:** Misconfiguration / Weak Access Control via Skydio’s cloud sharing features.
- **Persistence:** N/A.
- **Privilege Escalation:** N/A; access was granted by default due to lack of authentication.
- **Defense Evasion:** N/A.
- **Credential Access:** None required; the links were "open."
- **Discovery:** Web scraping and URL pattern analysis.
- **Collection:** Bulk downloading/recording of streaming drone footage.
- **Exfiltration:** Standard HTTP/HTTPS download.
- **Impact:** Privacy violation and exposure of police tactics/surveillance scope.
## Impact Assessment
- **Financial:** Potential legal liabilities and costs associated with auditing privacy compliance.
- **Data Breach:** Exposure of sensitive law enforcement surveillance video.
- **Operational:** Disclosure of police surveillance "blind spots," tactics, and specific targets of interest.
- **Reputational:** Significant public outcry regarding the "New Reality of Urban Surveillance" and lack of data governance.
## Indicators of Compromise
- **Network indicators:** Traffic to `*.skydio[.]com` from unauthorized external IP addresses accessing internal-only assets.
- **Behavioral indicators:** Unusual spikes in bandwidth consumption on specific video thumbnails or shared links.
## Response Actions
- **Containment:** Revoking public access to affected Skydio cloud URLs.
- **Eradication:** Audit of all existing shared links to ensure single-use or authenticated access.
- **Recovery:** Update to department policy regarding the sharing and retention of drone footage.
## Lessons Learned
- **Cloud Security:** Third-party "Drones as a Service" platforms require the same rigorous access control audits as internal servers.
- **Privacy Awareness:** Law enforcement agencies must recognize that automated surveillance data is a high-value target for both journalists and malicious actors.
- **Vendor Risk:** Relying on vendor-managed cloud platforms for sensitive evidence (video) introduces risks if the vendor’s default settings favor "ease of sharing" over "security."
## Recommendations
- **Zero Trust Architecture:** Implement strict authentication requirements for all cloud-hosted law enforcement data; assume all "private" links will eventually be discovered.
- **Automated Auditing:** Use automated tools to scan for publicly accessible assets (S3 buckets, video links, etc.) associated with the agency.
- **Policy Enhancement:** Establish clear SOPs for when drone footage can be uploaded to the cloud and who is authorized to generate sharing links.