DJI has released the key findings from an independent security assessment of its drone systems. The company announced that the assessment “produced zero critical, high, and medium-risk findings.”
Why has DJI done this?
Back in December 2024, the FY25 National Defense Authorization Act (NDAA) required that a risk assessment of Chinese drones be conducted by an “appropriate national security agency.” It also stated that DJI would automatically be banned from supplying its products if the risk assessment was not conducted within the following 12 months. However, the NDAA did not designate a specific agency to undertake the risk assessment. As a result, it didn’t happen, so DJI can’t now supply any products in the U.S.
Independent assessment
DJI campaigned tirelessly to get the required risk assessment to happen. Now it seems the company has decided to take matters into its own hands. DJI commissioned OnDefend, a U.S.-based cybersecurity firm, to conduct an independent security assessment. DJI also says that OnDefend is “trusted by national security stakeholders and enterprise leaders.”
OnDefend’s assessment looked at the DJI Air 3S with RC 2 controller and the DJI Matrice 4E with RC Plus 2 Enterprise controller. DJI says the assessment subjected both systems to “advanced adversarial testing across software, hardware, and radio frequency domains.”
What was tested?
OnDefend carried out its investigation from October 2025 through March 2026. It looked at the three national security concerns of data sovereignty, hardware vulnerabilities and drone manipulation risks. This involved advanced teardown, RF and silicon-level analysis of DJI hardware to look for issues such as unauthorized transmission pathways, covert RF channels and hidden antennas. OnDefend also ran static and dynamic application security testing on the DJI Fly and Pilot 2 apps. The firm checked for other software vulnerabilities as well.
What was the outcome?
DJI says that the assessment produced zero critical, high, and medium-risk findings. The key findings were:
No evidence of data transmission outside the United States was identified. All observed connections from DJI flight control applications resolved to U.S.-based infrastructure.
No backdoors or unauthorized remote access mechanisms were found. Controllers resisted all jailbreak and firmware modification attempts.
No unexplained radio frequency emissions were identified. All detected signals were traced to known system functions. Emissions not previously documented in FCC filings were confirmed to be standard artifacts of signal generation methods, not covert channels.
No supply chain tampering or unauthorized hardware modifications were detected.
OnDefend statement
After the assessment, OnDefend stated, “During the window of testing, OnDefend’s assessment of the Air 3S and Matrice 4E drone systems identified no clear evidence of hidden backdoors, no data transmissions outside the United States, and no viable pathways for hijacking or weaponization. No critical or high-risk findings were observed. To maintain national security assurance, ongoing testing of firmware, software updates, and verification of hardware and chip integrity are recommended for continuous and ongoing validation.”
Minor issues
DJI said that during the assessment “ten low-risk findings and thirteen observations were identified.” However, the company was quick to assert that these were “consistent with industry norms for complex mobile and embedded systems.” Importantly, DJI said that none of the issues “presented a realistic risk to safe drone operation or to widespread exposure of confidential information.” The company also worked with OnDefend to resolve most issues during the assessment. Any remaining items will be addressed in subsequent software releases.
Call to the FCC
Adam Welsh, head of global policy at DJI, said, “This is the most comprehensive independent security assessment ever undertaken on our products. These findings confirm what DJI has consistently maintained: our products are secure, our data practices are transparent, and the concerns underlying our FCC Covered List designation are not supported by technical evidence. We commissioned this independent assessment because we believe facts should inform policy decisions. We are calling on the FCC to consider these findings carefully as part of our ongoing appeal, and we remain committed to engaging constructively with relevant authorities.”
What next?
The FCC is currently going through a public appeal process over the banning of foreign drones in the U.S. At the time of writing, more than 3100 submissions have been made to the appeal. According to DJI, this is around 10 times the number of submissions that the FCC usually receives for an appeal.
What we think
DJI was put in a Catch-22 position when the U.S. government passed the NDAA. The company needed a risk assessment carried out to keep trading in the U.S. However, no agency was ever appointed to conduct the assessment, so there was no way DJI could ever succeed. The company was relentless in its campaign in the run-up to the ban, but to no avail. This independent risk assessment is an attempt by DJI to complete the work that the U.S. government didn’t do. In truth, an assessment commissioned by DJI isn’t going to change any minds at the FCC or the U.S. government, no matter how good the credentials of OnDefend. One thing that is clear, though, is that DJI is not giving up this fight any time soon.
