Independent assessment clears DJI drones of critical national security risks

An independent security assessment of two popular DJI drone systems has found no clear evidence of hidden backdoors, no data transmissions outside the US, and no viable pathways for hijacking or weaponisation. The evaluation, conducted by the cybersecurity firm OnDefend between October 2025 and March 2026, addressed major national security concerns surrounding the manufacturer. The results offer a significant boost to DJI, confirming that its devices pose no critical or high-risk cybersecurity threats to operators.

OnDefend, a firm trusted by national security stakeholders to test technologies and protect citizen data, performed a rigorous technical evaluation of the DJI Air 3S and the DJI Matrice 4E. The assessment covered the drones, their corresponding controllers—the RC 2 and RC Plus 2 Enterprise—and the DJI Fly and Pilot 2 mobile applications. To ensure the integrity of the supply chain, the enterprise units were drawn from existing dealer stock, while the consumer models were purchased independently without prior notification to DJI.

The comprehensive testing was divided into two tiers: standard testing, which evaluated application and network security, and advanced testing, which utilised proprietary hardware analysis to uncover hidden risks. Advanced testing included the digital imaging and cataloguing of every chip and component to establish a trusted hardware baseline. Artificial intelligence was used to compare current images against past records to detect counterfeits, tampering or undocumented modifications across global supply chains. Furthermore, adversary simulation techniques were employed—including interception, decryption and redirection testing—to ensure the drones’ communication protocols were robust. The proprietary O4 protocol proved fully resistant to replay, jamming and injection attacks.

A primary objective of the engagement was to determine whether the controllers or flight-control applications transmitted sensitive telemetry, imagery or geospatial data to non-US systems. Through extensive packet capture and destination analysis, researchers found no evidence of data exfiltration to foreign servers. All observed connections were resolved to US-based endpoints, including content-delivery infrastructure associated with Alibaba and Tencent, alongside expected services such as Google, Facebook and Amazon.

Furthermore, the assessment validated the effectiveness of DJI’s local data mode. This feature successfully prevented user data from being sent to internet-based locations from the drone flight-control application, although researchers noted that the controller operating system itself was not fully isolated from the network. For complete isolation, operators are advised to disable the controller’s wireless network connection entirely.

In addition to software analysis, the engagement closely examined hardware vulnerabilities to ascertain if the drones emitted undocumented radio frequencies. Such emissions could indicate covert communication channels or hidden data exfiltration paths. Following wide-spectrum scanning from 1MHz to 6GHz and near-field component analysis, OnDefend identified no unexplained radio emissions. While some emissions were not included in the manufacturer’s filings at the start of the assessment, they were later confirmed to be expected artefacts of documented signal-synthesis methods and changed in direct correlation with known operating states.

Despite the absence of critical vulnerabilities, the assessment identified 10 low-risk findings and 13 observations. These were primarily related to application security configurations, session handling and wireless hardening. Specific low-risk issues included persistent cross-site scripting, weak transport layer security protocols, and exposed authentication tokens in URLs within the mobile applications. A default shared password was also identified during standard testing, which DJI promptly patched via a firmware update. Assessors concluded that none of these minor weaknesses presented a realistic risk to safe drone operation or to the widespread exposure of confidential information.

Ultimately, the findings suggest that the fears surrounding the operational use of these specific DJI drones may be overstated. DJI collaborated with the security inspectors throughout the process to address potential remediation items and is reportedly working to resolve remaining issues in subsequent software releases. Operators may continue operating the drones with compensating controls while DJI patches the remaining low-risk findings. This residual-risk approach is well established in information-security practice and aligns with standard guidance. However, the report cautions that this individual assessment is bound by its specific timeframe. To maintain ongoing assurance regarding national security, continuous validation testing of firmware, software updates and hardware integrity is recommended across the full range of devices to outpace the adversary and secure future operations