Quick Verdict: An independent DJI security audit by U.S. cybersecurity firm OnDefend found zero critical, high, or medium-risk problems across five months of adversarial testing on the DJI Air 3S and Matrice 4E. The review found no backdoors, no data leaving the United States, and no supply chain tampering. DJI authorized the assessment, yet OnDefend bought the consumer units at retail without telling the company. The findings now sit before the FCC as the agency weighs DJI’s place on its Covered List.
Last updated: May 2026 | 8 min read
In This Article
What the DJI Security Audit Found
On May 28, 2026, DJI released the results of a DJI security audit conducted by OnDefend, a U.S.-based cybersecurity firm whose offensive security team includes military and government veterans. The assessment covered two products: the DJI Air 3S with the RC 2 controller and the Matrice 4E with the RC Plus 2 Enterprise controller. After five months of adversarial testing, OnDefend reported zero critical, high, or medium-risk findings across software, hardware, and radio frequency domains.
The headline results address the exact fears U.S. regulators have raised. OnDefend found no evidence of data transmission outside the United States, because every observed connection from DJI flight control apps resolved to U.S.-based infrastructure. Investigators also found no backdoors or unauthorized remote access mechanisms, since the controllers resisted all jailbreak and firmware modification attempts. In addition, the team detected no unexplained radio frequency emissions and no supply chain tampering.
One detail gives the work added weight. DJI authorized the assessment, however OnDefend procured the consumer units directly from retail outlets without notifying DJI, while the enterprise units came from existing dealer stock. As a result, the tested devices reflect standard U.S. market distribution rather than hand-picked samples. Adam Welsh, Head of Global Policy at DJI, said the findings confirm what the company has maintained throughout its appeal: the products are secure and the data practices are transparent.
Key Facts at a Glance
| Detail | Finding |
|---|---|
| Auditor | OnDefend, U.S.-based cybersecurity firm |
| Products tested | DJI Air 3S (RC 2), Matrice 4E (RC Plus 2 Enterprise) |
| Testing window | October 2025 through March 2026 |
| Critical, high, medium risks | Zero |
| Low-risk findings | 10 findings, plus 13 observations |
| Data sent overseas | None detected; all traffic resolved to U.S. infrastructure |
| RF scan range | 1 MHz to 6 GHz, full spectrum |
| Report status | Submitted to the FCC public comment record |
How OnDefend Tested the Drones
The engagement ran from October 2025 through March 2026 and centered on three national security concerns: data sovereignty, hardware vulnerabilities, and drone manipulation risks. To cover each one, OnDefend split the work across software, hardware, and radio frequency tracks. The depth of the hardware track sets this review apart from earlier third-party checks.
On the software side, the team ran static and dynamic application security testing of the DJI Fly and Pilot 2 apps. Engineers also performed full network traffic analysis across standard and local data modes, then layered on adversary simulation. Those simulated attacks included meddler-in-the-middle attempts, certificate bypass, privilege escalation, and jailbreak attempts. None of these opened a path to hijacking or mass data exposure.
On the hardware side, OnDefend went further than conventional validation. Specifically, the team performed a full-spectrum radio frequency scan from 1 MHz to 6 GHz, a PCB-level teardown with component analysis, supply chain integrity verification, and silicon-level inspection using AI-driven imaging. Investigators also ran RF exploitation tests such as replay, jamming, and injection attacks. According to the report, this was the only independent assessment of DJI hardware to reach silicon-level inspection alongside a complete spectrum scan. Therefore the scope answers the deepest tampering and covert-channel theories regulators have floated.
The Low-Risk Findings in Context
No product clears a five-month adversarial test with a perfect sheet, and the DJI Air 3S and Matrice 4E were no exception. OnDefend logged 10 low-risk findings and 13 observations. These items related mostly to application security configurations, session handling, and wireless hardening. For example, the report flagged a persistent access token in DJI Fly and several cryptographic key storage issues.
Context matters here, though. OnDefend described these results as consistent with industry norms for complex mobile and embedded systems, and the firm stated none presented a realistic risk to safe drone operation or to widespread exposure of confidential information. DJI worked with OnDefend on remediation during the engagement and said it is addressing the remaining items in later software releases.
One caveat deserves attention. OnDefend stressed the findings are specific to the software, firmware, and hardware versions tested during the engagement window. Because any point-in-time review has limits, the firm recommended continuous independent validation as DJI ships updates. In other words, a clean result in early 2026 sets a baseline rather than a permanent guarantee.
Why the DJI Security Audit Matters for the Drone Ban
The timing connects directly to the DJI drone ban debate. The FCC added DJI to its Covered List in December 2025, a designation blocking new equipment authorizations and effectively shutting the door on future U.S. sales. Notably, the agency made this move without identifying a single specific, documented vulnerability. The designation rested on categorical concerns about Chinese-manufactured technology rather than a named exploit or a confirmed data leak.
DJI has appealed the FCC Covered List designation and repeatedly asked for an evidence-based technical review. The 16-page OnDefend executive report, dated May 14, 2026, was submitted to the public comment record of the FCC proceedings, days after the May 11 reply deadline on DJI’s petition for reconsideration. With this DJI security audit on file, the company is pressing regulators to weigh independent technical findings against the broader policy concerns.
The stakes reach well beyond one manufacturer. More than 80 percent of the 1,800-plus state and local law enforcement agencies flying drones rely on DJI for search and rescue, accident reconstruction, and tactical work. Meanwhile, 43 percent of drone business users believe DJI restrictions would deliver an extremely negative or business-ending impact. Whether the FCC treats the OnDefend audit as decisive evidence or as one input among many remains the open question.
What It Means for Photographers
For aerial photographers and filmmakers, the audit speaks to a practical worry rather than an abstract policy fight. DJI is the industry standard for aerial cinematography, news gathering, and documentary production, so a ban would reshape gear budgets and workflows across the field. If you fly an Air 3S for client shoots or a Matrice for mapping work, the OnDefend findings offer reassurance the hardware on your shelf behaves as advertised.
The near-term picture still calls for planning, however. A Covered List designation does not seize the drones you already own, yet it constrains future authorizations and complicates buying new units down the road. For this reason, photographers weighing a purchase should track the appeal closely and read our guide to selecting the right drone for your photo and video needs before committing. Those shooting property listings should also review our roundup of top drones for real estate photography to understand where DJI sits against the alternatives.
Workflow habits matter too. Because the report praised DJI’s local data mode and confirmed clean network behavior, photographers handling sensitive sites have a documented reason to keep firmware current and to use local data mode on guarded jobs. If you are new to flying for clients, our tips on using a drone for B-roll cover the basics before you take on paid work.
Final Thoughts
The OnDefend audit gives DJI its strongest technical answer yet to the security questions behind the U.S. drone ban. Five months of adversarial testing, retail-sourced consumer units, silicon-level inspection, and a full 1 MHz to 6 GHz spectrum scan produced zero critical, high, or medium-risk findings. For a debate running largely on categorical suspicion rather than documented exploits, the depth of this DJI security audit raises the bar for what evidence the conversation should rest on.
Skeptics will still note the obvious: DJI authorized and paid for the work, and the findings reflect a single point in time. Both points are fair, although the retail procurement of test units and the recommendation for ongoing validation address them in part. The harder question is no longer whether the hardware hides a backdoor; the audit found none. Instead, the question is whether the FCC views a clean independent assessment as enough to revisit a designation built on country-of-origin concerns.
For now, the report sits in the FCC record while the appeal plays out. Photographers and commercial operators should follow the proceeding, keep firmware updated, and plan gear purchases with the timeline in mind. The full executive summary lives on the DJI Trust Center for anyone who wants to read the methodology and findings firsthand.
Frequently Asked Questions
Who conducted the DJI security audit?
OnDefend, a U.S.-based cybersecurity firm, conducted the assessment. Its offensive security team includes military and government professionals with national security experience. DJI authorized the work, although OnDefend ran the testing independently and bought the consumer units at retail without notifying DJI.
Which drones did the audit cover?
The review covered the DJI Air 3S with the RC 2 controller and the Matrice 4E with the RC Plus 2 Enterprise controller. OnDefend tested two units of each model. Consumer units came from retail outlets, while enterprise units came from existing dealer stock.
Did the audit find any security problems?
The DJI security audit found zero critical, high, or medium-risk problems. OnDefend did log 10 low-risk findings and 13 observations tied to app configuration and session handling, but the firm said none posed a realistic risk to safe operation or to widespread data exposure.
What is the FCC Covered List?
The FCC Covered List names communications equipment the agency deems a national security risk, which blocks new equipment authorizations in the United States. In December 2025, the agency added DJI without citing a specific documented vulnerability. DJI has since appealed the designation.
Does the audit lift the DJI drone ban?
No. The audit does not change DJI’s status on its own. OnDefend’s report was submitted to the FCC public comment record as evidence in DJI’s appeal, and the agency has not ruled. Ultimately, the outcome of the DJI drone ban still depends on the FCC’s decision.
Is my DJI drone still legal to use in the United States?
Yes. A Covered List designation restricts future equipment authorizations rather than seizing drones already owned. You keep the right to fly your current DJI gear, though buying new units gets harder if restrictions tighten.
