Zero Critical, High, or Medium-Risk Findings Identified Across Five Months of Adversarial Testing by U.S. Cybersecurity Firm OnDefend of the DJI Air 3S and Matrice 4E

SHENZHEN, China, May 28, 2026 /PRNewswire/ -- DJI, the world's leading drone manufacturer, today released the findings of an independent security assessment conducted by OnDefend, a U.S.-based cybersecurity firm trusted by national security stakeholders and enterprise leaders. The assessment covered the DJI Air 3S with RC 2 controller and the DJI Matrice 4E with RC Plus 2 Enterprise controller, subjecting both systems to advanced adversarial testing across software, hardware, and radio frequency domains.

The assessment was authorized by DJI but conducted independently. To preserve the integrity of the evaluation, consumer units were procured directly from retail outlets without pre-notification to DJI, and enterprise units were sourced from existing dealer stock. All tested devices reflect standard U.S. market distribution.

Key Findings

The assessment produced zero critical, high, and medium-risk findings. Specifically:

• No evidence of data transmission outside the United States was identified. All observed connections from DJI flight control applications resolved to U.S.-based infrastructure.
• No backdoors or unauthorized remote access mechanisms were found. Controllers resisted all jailbreak and firmware modification attempts.
• No unexplained radio frequency emissions were identified. All detected signals were traced to known system functions. Emissions not previously documented in FCC filings were confirmed to be standard artifacts of signal generation methods, not covert channels.
• No supply chain tampering or unauthorized hardware modifications were detected.

Low-Risk Findings and Remediation

Ten low-risk findings and thirteen observations were identified, consistent with industry norms for complex mobile and embedded systems. They were primarily related to application security configurations, session handling, and wireless hardening. None presented a realistic risk to safe drone operation or to widespread exposure of confidential information. DJI collaborated with OnDefend on potential remediation during the engagement and is working to address remaining items in subsequent software releases.

"During the window of testing, OnDefend's assessment of the Air 3S and Matrice 4E drone systems identified no clear evidence of hidden backdoors, no data transmissions outside the United States, and no viable pathways for hijacking or weaponization. No critical or high-risk findings were observed. To maintain national security assurance, ongoing testing of firmware, software updates, and verification of hardware and chip integrity are recommended for continuous and ongoing validation." — OnDefend 2026 DJI Security Assessment

"This is the most comprehensive independent security assessment ever undertaken on our products," said Adam Welsh, Head of Global Policy at DJI. "These findings confirm what DJI has consistently maintained: our products are secure, our data practices are transparent, and the concerns underlying our FCC Covered List designation are not supported by technical evidence. We commissioned this independent assessment because we believe facts should inform policy decisions. We are calling on the FCC to consider these findings carefully as part of our ongoing appeal, and we remain committed to engaging constructively with relevant authorities."

What Was Tested and How

The engagement ran from October 2025 through March 2026 and was structured around three national security concerns: data sovereignty, hardware vulnerabilities, and drone manipulation risks.

As part of the independent assessment, OnDefend conducted hardware and firmware testing that extended far beyond conventional cybersecurity validation. Leveraging its proprietary hardware testing technology and capabilities to perform advanced teardown, RF, and silicon-level analysis designed to identify unauthorized transmission pathways, covert RF channels, counterfeit components, undocumented modifications, hidden antennas, and broader supply chain integrity risks.

On the software side, OnDefend conducted static and dynamic application security testing of the DJI Fly and Pilot 2 applications, full network traffic analysis across standard and local data mode operation, and adversary simulation including meddler-in-the-middle attacks, certificate bypass, privilege escalation, and jailbreak attempts.

On the hardware side, the OnDefend team, enabled by their proprietary hardware testing technology, performed full-spectrum radio frequency scanning from 1 MHz to 6 GHz, PCB-level hardware teardown and component analysis, supply chain integrity verification, and RF exploitation testing including replay, jamming, and injection attacks.

Why OnDefend Was Selected as the Independent Security Inspector

OnDefend's offensive security team includes U.S. military and government professionals with deep operational experience in national security. The firm specializes in advanced adversarial testing designed to identify national security, supply chain, and technology integrity risks across software, hardware, and supply chain environments. Its proprietary testing technology uses AI-driven imaging and silicon-level analysis to identify unauthorized transmission pathways, counterfeit components, and undocumented hardware modifications, testing capabilities typically not part of standard hardware security assessments.

Testing Engagement

The findings reflect a defined window of testing. As with any point-in-time assessment, findings are specific to the software, firmware, and hardware versions evaluated during the engagement period. OnDefend has recommended that continuous independent validation be conducted as updates are released.

Context: FCC Covered List Designation

DJI's inclusion on the FCC Covered List in December 2025 was not accompanied by the identification of a specific, documented security vulnerability. DJI has appealed this designation and has consistently requested a transparent, evidence-based technical review.

DJI drones are widely used across public safety, agriculture, infrastructure, and creative industries in the United States. Restrictions on access to its technology would have downstream impacts on operational capability, business continuity, and cost structures for users across these sectors:

• More than 80%^[1] of the 1,800-plus state and local law enforcement agencies that use drones rely on DJI for search and rescue, accident reconstruction, crime scene documentation, and tactical overwatch.
• 43% of drone business users believe they would face an extremely negative or business-ending impact from DJI restrictions^[2].
• DJI is the industry standard for aerial cinematography, news gathering, and documentary production.

For more information on this audit, read the executive summary and visit the DJI Trust Center to learn more about DJI's continued investments in product security and independent validation.

[1]  DJI. Letter to Homeland Security Secretary Kristi Noem. December 2025.

[2]  Pilot Institute. The Effect of Banning Affordable UAS in the United States. December 2025.

 

Source: DJI