What the DJI security audit is and why it matters
The DJI security audit is an independent technical assessment of selected DJI drones that examines whether their hardware, software, and data flows contain backdoors, leak user information abroad, or allow remote hijacking, with the goal of informing regulators and buyers about real security risks rather than assumed geopolitical threats. Cybersecurity firm OnDefend tested two systems—the DJI Air 3S with RC 2 controller and the Matrice 4E with RC Plus 2 Enterprise controller—over several months. The company purchased units from retail and dealer stock without notifying DJI, aiming to mirror what typical buyers receive. The audit reported no backdoors, no data leaving the United States, and no viable paths for remote takeover, while flagging ten low‑risk findings and several lower‑level observations. DJI is using this DJI security audit to support its challenge to the FCC Covered List designation that, in practice, acts as a drone import ban on its newer products.
How OnDefend tested DJI drones and what it found
OnDefend structured the engagement around three core questions: data sovereignty, hardware integrity, and resistance to hijacking or manipulation. Its team inspected the DJI Fly and Pilot 2 apps with static and dynamic analysis, captured all network traffic in normal and Local Data Mode, and attempted jailbreaks and privilege escalation on the controllers. Hardware testing included PCB teardowns, component checks against expected parts lists, and radio‑frequency scanning from 1 MHz to 6 GHz. According to OnDefend’s report, “zero critical, high, or medium‑risk findings” were identified, and “no evidence of data being sent outside the United States” was observed, with all traffic resolving to US‑based infrastructure. No hidden backdoors or unauthorized access mechanisms were found, and unexplained RF emissions were ruled out after analysis tied them to known signal‑generation methods rather than covert channels. The firm also reported no signs of supply‑chain tampering or unapproved hardware modules in the tested units.
Low‑risk flaws and the limits of a positive result
The audit’s reassuring headlines sit alongside ten low‑risk findings and thirteen additional observations that highlight practical weaknesses rather than catastrophic flaws. On the software side, OnDefend noted exposed authentication tokens in URLs in both DJI Fly and Pilot 2, weaker TLS protocols and ciphers than current best practice, persistent cross‑site scripting in DJI Fly, a denial‑of‑service condition on an open port, and a local file inclusion with path traversal in the FlyShare feature. One notable issue was a default shared Wi‑Fi password, which DJI has since removed through firmware updates. OnDefend argues these issues match what it sees across complex mobile and embedded systems and do not present realistic risks to flight safety or broad data exposure. Still, the findings show the DJI security audit is not a blank check: it describes systems that resemble mainstream connected devices, rather than platforms with exceptional protection or with no need for further hardening.
From technical report to drone import ban fight
DJI commissioned the OnDefend assessment as part of its pushback against placement on the FCC Covered List, which blocks new DJI gear from entering the US market and amplifies wider Chinese drone restrictions under proposed laws such as the Countering CCP Drones Act. In its public statement, DJI says the results “directly challenge the security rationale behind” its inclusion, arguing that no technical evidence has been released to justify treating its products as higher‑risk than competitors. The company has submitted the audit in its formal petition urging the FCC to remove its name from the list, and thousands of public comments from pilots, businesses, and emergency responders have warned that the drone import ban will limit access to reliable, affordable aerial platforms. The FCC has not commented on the new report, and its decision will signal how much weight independent technical evidence carries against policy‑driven risk assumptions.
What the audit means for future FCC regulatory scrutiny
For regulators, the OnDefend audit narrows—but does not end—the debate over DJI and other Chinese drone restrictions. On one hand, a detailed, independent DJI security audit that finds no backdoors, no data flows leaving the US, and only low‑risk flaws undermines claims that DJI drones are uniquely dangerous from a technical standpoint. It also validates features such as Local Data Mode, which OnDefend confirmed blocked outbound transfers of flight‑control data. On the other hand, the audit covers only two recent models and focuses on observable behavior, not the broader policy concerns that often drive FCC regulatory scrutiny. Lawmakers can still argue about future software changes, potential state influence, or dependence on foreign cloud providers like Alibaba and Tencent, which the report recommends DJI phase out for clearer data‑sovereignty guarantees. How the FCC responds will shape not only DJI’s US market access but also the standard of proof expected in future technology‑security disputes.