What the DJI security audit is and why it matters
The DJI security audit is an independent technical assessment by cybersecurity firm OnDefend that examined whether selected DJI drones contain cybersecurity backdoors, send data outside the United States, or expose serious vulnerabilities that could allow unauthorized access, hijacking, or covert data exfiltration, and its findings are now central to a regulatory dispute over a drone import ban. OnDefend tested two drone systems—the DJI Air 3S and the Matrice 4E—along with their controllers and companion apps over roughly five months. The firm says it purchased hardware through normal retail and distributor channels without notifying DJI, aiming to show that the units reflected standard market stock rather than hand-picked samples. For a company facing an FCC regulatory petition process and inclusion on the FCC Covered List, the outcome of this audit is more than a technical report; it is evidence DJI hopes can undermine the security rationale for restricting its products.
Inside the findings: no backdoors, no critical flaws
OnDefend’s report presents a clear top-line message for DJI: it found no cybersecurity backdoors, no data leaving the United States, and no viable remote-hijacking paths on the tested systems. According to PCMag, DJI highlighted that independent testing “found no backdoors, no data leaving the US, and no viable pathways for hijacking or misuse.” Network analysis showed all observed connections resolved to US-based infrastructure, though some traffic involved content delivery networks associated with Alibaba and Tencent alongside providers like Google and Amazon. Hardware review, including RF scans from 1 MHz to 6 GHz and PCB-level inspection, detected no unexplained radio emissions or supply-chain tampering. Critically for the drone import ban debate, OnDefend reported zero critical, high, or medium-risk findings. Instead, it identified ten low-risk issues and additional lower-level observations that DJI says it is addressing through software updates.
Low-risk vulnerabilities: nuance behind a clean headline
Although the DJI security audit found no high-severity vulnerabilities, the technical appendix shows weaknesses that matter for security professionals and policymakers. OnDefend documented ten low-risk findings and thirteen observations, including authentication tokens exposed in URLs, use of weaker TLS protocols and ciphers, persistent cross-site scripting in the DJI Fly app, a denial-of-service condition on an open port, and a local file inclusion with path traversal in the FlyShare feature. One notable issue was a default shared Wi-Fi password, which DJI has reportedly patched via firmware. OnDefend concluded these flaws align with industry norms for complex mobile and embedded systems and do not create realistic pathways for drone hijacking or widespread data exposure. Still, the presence of these issues shows that “no critical vulnerabilities” does not mean “no security work left to do”; instead, it frames a manageable remediation roadmap.
DJI’s FCC regulatory petition and the drone import ban debate
DJI commissioned the audit as part of a strategic response to its placement on the FCC Covered List, a designation that blocks new DJI gear from entering the market. The company is pushing an FCC regulatory petition that argues its inclusion was based on unsubstantiated security fears rather than technical evidence. Public filings number around 3,200, with many customers claiming that a drone import ban would cut off affordable, capable drones for filmmakers, businesses, and emergency responders. DJI now points to the OnDefend report as third-party validation that its platforms do not secretly send data abroad or contain hidden access channels. In DJI’s words, the findings “directly challenge the security rationale behind” the restrictions and show that concerns driving its designation are “not supported by technical evidence.” The FCC has not yet publicly answered those claims.
What the audit changes—and what it does not
The independent audit strengthens DJI’s security narrative but does not, by itself, settle the policy fight around Chinese-made drones. Technically, the report supports DJI’s claims that its platforms can operate without covert data exfiltration and that Local Data Mode can keep flight data off the internet. It also shows DJI cooperating on fixes, reinforcing the argument that security risks are manageable engineering problems, not systemic threats. However, the audit covers only two models and focuses on platform security, not broader geopolitical or supply-chain concerns that may influence regulators. For industry users, the report offers reassurance that, on the evidence presented, DJI systems can meet reasonable cybersecurity expectations. For policymakers, it raises the bar: any continued drone import ban or FCC restrictions will now be expected to cite concrete technical risks that go beyond what OnDefend’s assessment has documented.
