What the DJI Security Audit Is and Why It Matters
The DJI security audit is an independent technical assessment by cybersecurity firm OnDefend that examined selected DJI drone systems for hidden backdoors, unauthorized data exfiltration, and hardware tampering, in order to determine whether these products pose a realistic security risk that would justify restrictions on their import or use. OnDefend focused on two platforms: the consumer DJI Air 3S with RC 2 controller and the enterprise Matrice 4E with RC Plus 2 Enterprise controller. Both were sourced from regular retail and dealer stock to avoid hand-picked samples. The engagement ran for several months and used adversarial testing methods across software, hardware, and radio-frequency layers. This audit matters because DJI’s placement on the FCC Covered List blocks new DJI gear from entering the market, yet regulators did not cite any specific, documented technical vulnerability. The new findings give policymakers, industry, and pilots technical evidence to weigh against broad security claims.
OnDefend Audit Findings: No Backdoors, No Foreign Data Flows
OnDefend’s report centers on three concerns: data sovereignty, hardware integrity, and resistance to hijacking or manipulation. For both the DJI Air 3S and the Matrice 4E systems, the firm reports no critical, high, or medium-risk security issues. More importantly for drone backdoor concerns, it found no hidden remote-access mechanisms and no unexplained wireless channels in radio-frequency testing from 1 MHz to 6 GHz. According to OnDefend’s executive summary, “there was no evidence of data transmission outside the United States, and all observed connections from DJI flight control applications resolved to U.S.-based infrastructure.” Network captures in standard and Local Data Mode did not reveal covert traffic. Hardware teardown and silicon-level inspection also found no unauthorized modifications or counterfeit components. In short, the audit’s headline result is that, on the tested models, there is no technical sign of the kind of intentional backdoor that has been used to justify import bans.
Low-Risk Issues: What the Ten Findings Tell Us
While the absence of major problems is notable, the DJI security audit did flag ten low-risk findings and thirteen lower-level observations. These span both applications examined: DJI Fly for the Air 3S and Pilot 2 for the Matrice 4E. Reported weaknesses include authentication tokens exposed in URLs, support for weaker TLS protocols and ciphers, persistent cross-site scripting in DJI Fly, a denial-of-service condition on an open port, and a local file inclusion with path traversal in the FlyShare feature. None were rated critical, high, or medium, but some could still matter in targeted attacks or high-security environments. OnDefend also highlighted that traffic, while resolved to domestic infrastructure, sometimes used content-delivery services tied to Alibaba and Tencent, and recommended migration to more clearly identified domestic infrastructure. Another recommendation was the removal of 4G-dongle-related antenna structures from drones sold in certain markets, indicating that small hardware changes could further reduce perceived risk.
What ‘No Backdoors’ Means in Technical and Policy Terms
In technical security language, a backdoor is a hidden way into a system that bypasses normal authentication or controls and is not documented for users. OnDefend’s conclusion that it found no backdoors on the audited DJI drones means its testers could not discover any covert remote-access paths, undocumented communication channels, or supply-chain tampering that would allow outside control or data exfiltration. This does not mean the systems are bug-free, but it distinguishes ordinary software flaws from intentional access paths. For policymakers, this matters because many calls for a US drone import ban against DJI have been framed around fears of built-in backdoors sending sensitive data abroad. The audit undercuts that specific claim by presenting targeted evidence to the contrary. It also highlights a gap between political risk narratives and what adversarial testing of real hardware and software has, so far, found on the ground.
Implications for the FCC Covered List and Import Ban Debate
DJI’s placement on the FCC Covered List in December 2025 was not accompanied by public disclosure of any concrete technical vulnerability, yet the designation blocks new DJI products from entering the market. DJI has appealed this status and argues that regulators should make evidence-based decisions. The OnDefend audit is central to that appeal: it states there is “no security-related reason for blocking DJI’s products from being imported and sold in the United States,” disputing the security rationale behind a broader foreign-made drone ban. For regulators, the report offers a detailed, third-party technical record to review as they consider DJI’s petition to be removed from the restricted list. For filmmakers, first responders, and commercial operators, the findings will inform how they argue for exemptions or policy changes. The debate is now less about vague backdoor fears and more about whether proven, low-risk flaws justify sweeping import and usage restrictions.