What the DJI Security Audit Is and Why It Matters
The DJI security audit is an independent technical assessment by cybersecurity firm OnDefend that examined selected DJI drones for hidden backdoors, data exfiltration, and hijacking risks, and its findings now sit at the center of a high‑stakes regulatory fight over foreign‑made drone imports. OnDefend tested two drone systems—the consumer-focused DJI Air 3S with RC 2 controller and DJI Fly app, and the enterprise Matrice 4E with RC Plus 2 Enterprise controller and Pilot 2 app—over a roughly five‑month engagement. The firm purchased units through normal retail and distributor channels, without notifying DJI, to avoid hand‑picked test hardware. This audit arrives as regulators consider whether DJI should remain on a restricted “Covered List” that effectively amounts to a DJI import ban for new products, making the security assessment findings directly relevant to the policy argument about drone backdoor concerns and overall platform safety.
Inside OnDefend’s Testing: From Apps to RF and Hardware
OnDefend structured the DJI security audit around three questions: where data flows, how secure the hardware is, and whether drones can be hijacked or manipulated. On the software side, the firm performed static and dynamic analysis of the DJI Fly and Pilot 2 apps, monitored all network traffic in normal and Local Data Mode, bypassed certificate pinning, and attempted privilege escalation and jailbreaks on controllers. Hardware tests included full-spectrum RF scanning from 1 MHz to 6 GHz, board‑level teardown, and cross‑checking components against expected bills of materials, along with replay, jamming, and injection attacks aimed at the control links. According to OnDefend, “no unexplained radio emissions were identified. All observed RF emissions were traced back to known functions on the drones,” undercutting fears that undocumented RF channels might serve as hidden backdoors or covert data paths during flight operations.
Headline Security Assessment Findings: No Backdoors, No Data Leaving the US
The most prominent security assessment findings address the core drone backdoor concerns behind the DJI import ban debate. OnDefend reported no critical, high, or medium‑risk issues across the tested systems, flagging only ten low‑risk findings and thirteen lower‑level observations that DJI says it is addressing through software updates. Crucially, the audit found no hidden backdoors or unauthorized remote‑access mechanisms on the drones or controllers, and repeated jailbreak and firmware‑modification attempts failed. Network analysis showed no evidence of data being sent outside the United States during testing, with all traffic resolving to US‑based infrastructure, even when Local Data Mode was disabled. Local Data Mode itself worked as advertised: when enabled, flight‑control apps did not transmit user data to the internet and did not leak historical flight data once connectivity was restored, strengthening DJI’s claim that operators can keep sensitive flights isolated.
Low-Risk Weaknesses and Nuances Behind the Clean Bill of Health
OnDefend’s “zero critical, high, or medium” headline does not mean the systems were flawless. The report documents ten low‑risk issues and additional observations, some of which matter in practice. These include authentication tokens exposed in URLs inside DJI Fly and Pilot 2, weak TLS protocols and ciphers, persistent cross‑site scripting in DJI Fly, a denial‑of‑service condition on an open port, and a local file inclusion with path traversal in the FlyShare feature. One notable finding was a default shared Wi‑Fi password, since patched via firmware. On the infrastructure side, traffic resolved to US‑based endpoints but sometimes used content‑delivery services linked with Alibaba and Tencent; OnDefend recommends shifting to infrastructure more clearly identified as US‑based. The firm also suggests removing 4G‑dongle‑related antenna structures from drones sold in the US market, highlighting that some remedial work involves hardware, not only software updates.
Regulatory Implications: A New Data Point in the DJI Import Ban Debate
DJI commissioned the audit to support its petition urging regulators to remove the company from the Covered List, which blocks new DJI gear from entering the US market. The company argues that the OnDefend report “directly challenge[s] the security rationale behind” the ban, noting that independent testing found no backdoors, no data leaving the US, and no viable hijacking pathways. Nearly 3,200 public filings on the petition process highlight how a broad DJI import ban would affect filmmakers, businesses, and emergency responders who rely on DJI’s platforms. The audit, however, speaks to technical security rather than the full geopolitical reasoning behind the restrictions, so it may not resolve the policy dispute on its own. Still, as one of the most comprehensive independent reviews of DJI systems to date, it gives lawmakers and regulators a concrete security baseline for future decisions on Chinese‑made consumer and commercial drone imports.
