Independent Audit Finds No Security Basis for Restricting DJI in the USA

Jaron Schneider

A close-up of a modern quadcopter drone with a camera, resting on a reflective surface under a pink and blue sky at dusk.

An independent security assessment conducted by U.S.-based cybersecurity firm OnDefend found that there are no security-related reasons for blocking DJI’s products from being imported and sold in the United States.

It should be noted that DJI is, of course, heavily sharing the news of this audit and that DJI authorized OnDefend to perform the audit. That said, DJI says it was committed to the independence of the study and encouraged OnDefend to perform the audit independently.

The assessment looked at the DJI Air 3S with RC 2 controller and the DJI Matrice 4E with RC Plus 2 Enterprise controller, and subjected both systems to what is characterized as “advanced adversarial testing across software, hardware, and radio frequency domains.” The units OnDefend procured for this study were not sent to it by DJI, but rather were sourced independently. The consumer-level Air 3S drones were procured directly from retail outlets without telling DJI when or where they would be sourced, while the enterprise units were obtained from existing dealer stock.

As a result, “all tested devices reflect standard U.S. market distribution,” DJI says.

“OnDefend’s offensive security team includes U.S. military and government professionals with deep operational experience in national security. The firm specializes in advanced adversarial testing designed to identify national security, supply chain, and technology integrity risks across software, hardware, and supply chain environments,” DJI says, explaining why OnDefend was selected as the security inspector for this assessment. “Its proprietary testing technology uses AI-driven imaging and silicon-level analysis to identify unauthorized transmission pathways, counterfeit components, and undocumented hardware modifications, testing capabilities typically not part of standard hardware security assessments.”

DJI likely sought to have this security audit performed because the U.S. government never took action on the 2024 congressionally-manded audit. Because no department performed that audit despite regular and repeated pleas from the company to do so, DJI found itself automatically banned. Now, even products like its highly-sought-after Osmo Pocket series cannot be imported, as they are not being cleared by the FCC.

A person in a tan parka and winter gear operates a flying drone with a remote control in a snowy landscape, with mountains visible in the background.

“DJI’s inclusion on the FCC Covered List in December 2025 was not accompanied by the identification of a specific, documented security vulnerability. DJI has appealed this designation and has consistently requested a transparent, evidence-based technical review,” the company says.

The study, the executive summary of which can be downloaded here, found that there were no critical, high, or medium-risk security issues with either drone product.

There was no evidence of data transmission outside the United States, and all observed connections from DJI flight control applications resolved to U.S.-based infrastructure.

OnDefend also found no backdoors or unauthorized remote access mechanisms, and controllers resisted all jailbreak and firmware modification attempts. There were also no unexplained radio frequency emissions, and all detected signals were traced to known system functions. Emissions not previously documented in FCC filings were confirmed to be standard artifacts of signal generation methods, not covert channels. Finally, there were no supply chain tampering or unauthorized hardware modifications.

“During the window of testing, OnDefend’s assessment of the Air 3S and Matrice 4E drone systems identified no clear evidence of hidden backdoors, no data transmissions outside the United States, and no viable pathways for hijacking or weaponization. No critical or high-risk findings were observed. To maintain national security assurance, ongoing testing of firmware, software updates, and verification of hardware and chip integrity are recommended for continuous and ongoing validation,” OnDefend’s assessment reads.

The drones did exhibit 10 low-risk findings and thirteen observations, which DJI says is consistent with industry norms for complex mobile and embedded systems.

A camera drone flies in the air with blurred mountains and trees in the background under a partly cloudy sky.

“They were primarily related to application security configurations, session handling, and wireless hardening. None presented a realistic risk to safe drone operation or to widespread exposure of confidential information. DJI collaborated with OnDefend on potential remediation during the engagement and is working to address remaining items in subsequent software releases,” DJI says.

“This is the most comprehensive independent security assessment ever undertaken on our products,” Adam Welsh, Head of Global Policy at DJI, says. “These findings confirm what DJI has consistently maintained: our products are secure, our data practices are transparent, and the concerns underlying our FCC Covered List designation are not supported by technical evidence. We commissioned this independent assessment because we believe facts should inform policy decisions. We are calling on the FCC to consider these findings carefully as part of our ongoing appeal, and we remain committed to engaging constructively with relevant authorities.”

The FCC is currently hearing public appeals to its decision. So far, more than 3,000 comments have been filed, which DJI says is roughly 10 times the volume typically seen in prior FCC proceedings.

Image credits: DJI

,
, , , , , , , , ,
PetaPixel articles may include affiliate links; if you buy something through such a link, PetaPixel may earn a commission.

Love PetaPixel? Go Premium.

Become a Member to get an ad-free experience, unlock our Sample Galleries, and score exclusive discounts from leading photo brands. Your membership directly supports our independent publishing.

Related Articles
A drone hovers in the foreground above a snowy landscape at sunset, while a person stands on the snow below near equipment with mountains visible in the background. 6 Months Later, DJI Says US Government Still Hasn’t Started Its Mandated Security Audit
A person standing next to a vehicle, flying a drone in a desert landscape. The person holds a remote control, and the sky and distant hills are visible in the background. DJI Urges US Government to Start the Mandated Security Audit of Its Business
A large drone flies close to the camera over a snowy landscape at sunset; in the background, a person stands near a sled with mountains visible in the distance. DJI Will Be Banned in the US in 43 Days as the Government Does Nothing
A large drone hovers over a snowy landscape at sunset, casting a shadow near a person standing on the snow with mountains visible in the background. DJI’s Drones, Both Branded and Disguised, Are Even Closer to a US Ban
Discussion