What the DJI security audit is and why it matters
The DJI security audit is an independent technical assessment by cybersecurity firm OnDefend that examined whether DJI drones contain hidden backdoors, leak user data, or pose national security risks, and its findings are being used to challenge regulatory restrictions on importing and selling these aircraft. OnDefend focused on two systems: the consumer DJI Air 3S with RC 2 controller and the enterprise DJI Matrice 4E with RC Plus 2 Enterprise controller. Both were bought through normal retail and dealer channels, so they reflect standard market units rather than handpicked samples. The audit applied “advanced adversarial testing across software, hardware, and radio frequency domains,” including app analysis, full network traffic capture, and PCB-level teardown. For regulators weighing data security drones policies, especially the FCC drone ban affecting new imports, this work matters because it provides the detailed technical review that critics say was missing when DJI products were added to the FCC Covered List.
Headline findings: no backdoors, no data leaving the US
OnDefend’s headline conclusion is that the tested DJI systems show no drone backdoor risks and no evidence of unauthorized data leaving the US. All observed connections from the DJI Fly and Pilot 2 apps resolved to US-based infrastructure, and the audit did not identify any hidden remote-access mechanisms or unexplained radio emissions. The DJI controllers resisted jailbreak and firmware-modification attempts, limiting opportunities for attackers to tamper with the platform. Hardware inspection found no supply-chain tampering or undocumented components. According to the OnDefend report, the engagement produced “zero critical, high, or medium-risk findings” and instead surfaced ten low-risk issues and a set of lower-level observations. For the broader DJI security audit debate, this significantly weakens claims that the platforms secretly phone home data to foreign servers or conceal covert control channels, at least for the models and firmware versions examined in this study.
Low-risk issues: where DJI still needs to improve
The clean bill of health on backdoors and data exfiltration does not mean the drones are flawless. OnDefend documented ten low-risk findings plus thirteen lower-level observations, several of which touch everyday cybersecurity hygiene. Examples include authentication tokens exposed in URLs within the DJI Fly and Pilot 2 apps, weak TLS protocols and ciphers, a persistent cross-site scripting weakness, and a denial-of-service condition on an open port. The FlyShare feature also contained a local file inclusion issue with path traversal, and one finding noted a default password scenario in the Local Data Mode Wi‑Fi access point. None of these rose above the low-risk range, but they give DJI a clear hardening roadmap. For data security drones discussions, they show that the question is not whether DJI platforms are perfect, but whether their remaining flaws are routine software issues or genuine national security threats.
How the audit undercuts the rationale for the FCC drone ban
DJI commissioned the audit after regulators placed it on the FCC Covered List in December 2025 without publicly documenting a specific technical vulnerability. That listing has effectively become an FCC drone ban on new DJI gear, blocking imports, including popular non-drone products like the Osmo Pocket series, from receiving FCC clearance. The OnDefend report directly addresses the core concerns that were used to justify tighter rules on Chinese-made drones: covert backdoors, undisclosed data flows, and compromised hardware. By finding no critical issues and no data leaving the US, the audit undercuts the idea that DJI’s platforms present a special, unmanageable risk compared with other connected devices. While the report cannot answer broader geopolitical or trade questions, it gives policymakers concrete technical evidence to weigh against earlier, largely unsubstantiated security claims about DJI products.
What comes next for regulators, DJI, and drone users
For regulators, the OnDefend audit raises pressure to match policy with evidence. DJI has appealed its Covered List status and repeatedly sought a transparent, government-led review; this independent DJI security audit fills a gap left by the congressionally mandated federal audit that never happened. Agencies now have a detailed technical record they can scrutinize, challenge, or replicate. For DJI, the findings support its argument that restrictions stem more from politics than from demonstrated platform flaws, even as the company is urged to tighten encryption, remove 4G-dongle antenna structures in certain markets, and improve web app security. Drone operators and filmmakers sit in the middle: they rely on DJI as a default tool, yet face uncertainty over future imports and support. The audit does not settle the regulatory fight, but it makes it harder to defend sweeping bans on purely security grounds.
