DJI Releases Findings of the Most Comprehensive Independent Security Assessment of Its Drone Systems to Date

DJI has released the findings of the most comprehensive independent security assessment ever conducted on our products. OnDefend, a U.S.-based cybersecurity firm trusted by national security stakeholders and enterprise leaders, audited the DJI Matrice 4E with RC Plus 2 Enterprise controller and the DJI Air 3S with RC 2 controller, subjecting both systems to advanced adversarial testing across software, hardware, and radio frequency domains.

The assessment was authorized by DJI but conducted independently. To preserve the integrity of the evaluation, enterprise units were sourced from existing dealer stock and consumer units were procured directly from retail outlets without pre-notification to DJI. All tested devices reflect standard U.S. market distribution.

Key Findings

The assessment produced zero critical, high, and medium-risk findings. Specifically:

– No evidence of data transmission outside the United States was identified. All observed connections from DJI flight control applications resolved to U.S.-based infrastructure.

– No backdoors or unauthorized remote access mechanisms were found. Controllers resisted all jailbreak and firmware modification attempts.

– No unexplained radio frequency emissions were identified. All detected signals were traced to known system functions. Emissions not previously documented in FCC filings were confirmed to be standard artifacts of signal generation methods, not covert channels.

– No supply chain tampering or unauthorized hardware modifications were detected.

Low-Risk Findings and Remediation

Ten low-risk findings and thirteen observations were identified, consistent with industry norms for complex mobile and embedded systems. They were primarily related to application security configurations, session handling, and wireless hardening. None presented a realistic risk to safe drone operation or to widespread exposure of confidential information. DJI collaborated with OnDefend on potential remediation during the engagement and is working to address remaining items in subsequent software releases.

“During the window of testing, OnDefend’s assessment of the Air 3S and Matrice 4E drone systems identified no clear evidence of hidden backdoors, no data transmissions outside the United States, and no viable pathways for hijacking or weaponization. No critical or high-risk findings were observed. To maintain national security assurance, ongoing testing of firmware, software updates, and verification of hardware and chip integrity are recommended for continuous and ongoing validation.”
— OnDefend 2026 DJI Security Assessment

What Was Tested and How

The engagement ran from October 2025 through March 2026 and was structured around three national security concerns: data sovereignty, hardware vulnerabilities, and drone manipulation risks.

Software. Static and dynamic application security testing of the DJI Fly and Pilot 2 applications; full network traffic analysis across standard and local data mode operation; and adversary simulation including meddler-in-the-middle attacks, certificate bypass, privilege escalation, and jailbreak attempts.

Hardware. Full-spectrum radio frequency scanning from 1 MHz to 6 GHz; PCB-level hardware teardown and component analysis; supply chain integrity verification; and RF exploitation testing including replay, jamming, and injection attacks.

“This is the most comprehensive independent security assessment ever undertaken on our products. These findings confirm what DJI has consistently maintained: our products are secure, our data practices are transparent, and the concerns underlying our FCC Covered List designation are not supported by technical evidence. We commissioned this independent assessment because we believe facts should inform policy decisions. We are calling on the FCC to consider these findings carefully as part of our ongoing appeal, and we remain committed to engaging constructively with relevant authorities.”
— Adam Welsh, Head of Global Policy, DJI

Why OnDefend

OnDefend’s offensive security team includes former U.S. military and government professionals with deep operational experience in national security. Its proprietary testing technology uses AI-driven imaging and silicon-level analysis to identify unauthorized transmission pathways, counterfeit components, and undocumented hardware modifications — testing capabilities typically not part of standard hardware security assessments.

DJI’s inclusion on the FCC Covered List in December 2025 was not accompanied by the identification of a specific, documented security vulnerability. DJI has appealed this designation and has consistently requested a transparent, evidence-based technical review.

DJI drones are widely used across public safety, agriculture, infrastructure, and creative industries in the United States:

More than 80% of the 1,800-plus state and local law enforcement agencies that use drones rely on DJI for search and rescue, accident reconstruction, crime scene documentation, and tactical overwatch.1

43% of drone business users believe they would face an extremely negative or business-ending impact from DJI restrictions.2

DJI is the industry standard for aerial cinematography, news gathering, and documentary production.

If you use Google as your search engine, you can set Drones as your preferred source so that our content appears more frequently in your search results. Add Drones as your preferred source.

The Drones PR portal features news and reports from companies, universities, and associations. The respective organisations are responsible for the content of their press releases.