Key Takeaways
- An independent audit by OnDefend found no security rationale for restricting DJI products from the U.S. market.
- Both the consumer‑grade Air 3S and the enterprise‑grade Matrice 4E were subjected to advanced adversarial testing across software, hardware, and RF domains.
- The assessment uncovered only low‑risk findings, none of which pose a realistic threat to drone operation or data confidentiality.
- DJI’s inclusion on the FCC’s Covered List was not supported by documented vulnerabilities, prompting an ongoing appeal.
- DJI is urging the FCC to consider the audit’s evidence and continues to collaborate on remediation of remaining minor issues.
Background of the Assessment DJI voluntarily commissioned U.S.-based cybersecurity firm OnDefend to conduct a comprehensive, third‑party security review of its latest drone models. The request came after repeated pleas to federal agencies to perform a mandated audit that never materialized, which had previously placed DJI’s imports on a de‑facto ban. By selecting an independent assessor, DJI aimed to generate transparent, evidence‑based findings that could inform regulators and restore confidence in its products.
Methodology and Testing Approach
OnDefend’s offensive security team, composed of former U.S. military and government professionals, employed AI‑driven imaging and silicon‑level analysis to probe the Air 3S (paired with RC 2 controller) and Matrice 4E (paired with RC Plus 2 Enterprise controller). Testing spanned three layers: deep software inspections, exhaustive hardware dissections, and rigorous radio‑frequency (RF) examinations. Crucially, the devices were sourced from retail outlets and dealer stock—without prior notification to DJI—ensuring that the units reflected standard U.S. market distribution.
Findings on Software and Firmware Integrity
The audit examined flight‑control applications, session handling, and wireless hardening configurations. No backdoors, unauthorized remote‑access mechanisms, or hidden transmission pathways were discovered. All observed connections from DJI’s ground stations resolved exclusively to U.S.-based infrastructure, and attempts to force data exfiltration outside the United States failed. Firmware modification attempts, including jailbreak and custom firmware injections, were consistently resisted, confirming that the software stack remained intact and uncompromised.
Findings on Hardware and Radio Frequency Analysis
A detailed silicon‑level inspection revealed no counterfeit components, undocumented hardware modifications, or supply‑chain tampering. RF emissions were meticulously measured; the majority matched documented signal characteristics, while any previously unrecorded emissions were traced to standard modulation artifacts rather than covert channels. Consequently, there was no evidence of covert command‑and‑control links or anomalous RF behavior that could be exploited for weaponization or espionage.
Supply Chain Verification Results
OnDefend’s investigators traced each component’s provenance and confirmed that the Air 3S and Matrice 4E were assembled using legitimate, commercially sourced parts. No indications of unauthorized hardware implants or malicious firmware updates were detected throughout the manufacturing chain. This verification aligns with routine industry expectations for complex embedded systems and further undermines claims that DJI devices could serve as vectors for hidden malicious hardware.
Risk Classification and Low‑Risk Findings
The assessment cataloged ten low‑risk findings and thirteen observational notes, categories that are typical for sophisticated mobile and embedded platforms. Issues related to application security configurations and session handling were identified but were deemed non‑critical; none compromised flight safety or exposed sensitive data on a systemic level. DJI worked collaboratively with OnDefend during the engagement to address these items, and remediation measures are slated for inclusion in upcoming software releases.
Remediation Steps and Ongoing Collaboration
Recognizing the modest nature of the residual findings, DJI has pledged to implement targeted fixes in future software updates, focusing on tightening wireless hardening and refining session management protocols. The company emphasizes that such incremental improvements are standard practice for high‑complexity systems and do not affect the overall security posture of its drones. Continuous monitoring and re‑testing are planned to validate the effectiveness of these remediation efforts.
Implications for DJI’s FCC Appeal
DJI’s public statement underscores that the audit constitutes the most exhaustive independent security review ever performed on its product line. The company argues that the absence of any critical or high‑risk findings directly contradicts the technical basis for its placement on the FCC’s Covered List. By presenting concrete evidence of robust security controls, DJI seeks to persuade the FCC to rescind the designation and to evaluate its appeal through a fact‑driven, evidence‑based lens rather than precautionary assumptions.
Industry Response and Public Comment Volume The release of the audit coincides with a surge of public commentary on the FCC’s pending decision, with more than 3,000 comments filed—roughly ten times the volume typical of prior FCC proceedings. This unprecedented level of engagement reflects both industry stakeholders’ and consumers’ vested interest in the outcome. The sheer volume of feedback further highlights the significance of DJI’s security audit as a focal point in the broader debate over drone regulation and national security considerations.
Conclusion and Forward‑Looking Recommendations
In sum, the OnDefend audit provides a thorough, technically rigorous validation that DJI’s drones exhibit no substantial security vulnerabilities that would justify export restrictions or market exclusion. The findings reinforce DJI’s longstanding position that its products are secure, its data practices are transparent, and its manufacturing processes are free from malicious modifications. Looking ahead, DJI recommends that continuous firmware integrity checks, periodic RF re‑assessment, and ongoing supply‑chain verification become standard components of any regulatory framework governing advanced unmanned aerial systems. Such proactive measures can ensure that national security concerns are addressed with precision, rather than blanket bans founded on speculative risks.