Let’s get to the good part first:

Independent Security Assessment Finds No Evidence of Hidden Backdoors or Foreign Data Transmission in DJI Drone Platforms!

____________________________________________________________________________________________

Let’s be honest — there’s been a lot of noise surrounding DJI over the last few years. Allegations, assumptions, political talking points, and plenty of speculation about data security, foreign access, and whether DJI drones pose some sort of national security threat.

Now we finally have something the industry has been asking for quite a while: an independent technical assessment based on actual testing. Now we have some thing to hang our hats on instead of rhetoric.

Cybersecurity firm OnDefend recently completed what is the most comprehensive third-party evaluations ever conducted on DJI drone systems and their supporting infrastructure. Over a five-month period, the company tested the DJI Air 3S and DJI Matrice 4E platforms, along with their controllers, firmware, applications, RF systems, and communications protocols.

____________________________________________________________________________________________

And the main finding of the audit is pretty straightforward:

The assessment found no evidence of hidden backdoors, no unauthorized transmission of data outside the United States, and no viable pathways for hijacking or weaponizing the drones. And those are the main arguments set forth by DJI detractors in the U.S. drone manufacturing industry, their backing organization, Congressional members, and D.C. Bureaucrats!

That’s a pretty big deal!

____________________________________________________________________________________________

A Real Technical Evaluation — Not Politics

The testing wasn’t some quick software scan or marketing exercise. OnDefend went deep. And OnDefend was the perfect company for this. Their flagship breach and attack simulation (BAS) software, BlindSPOT, and their advisory services are well-received by enterprise and government clients. Yes, “government clients”. If no one in our own government wanted to put the name on the dotted line with an audit, why not have a company with a good reputation with our government do it.

The audit covered:

• Software and firmware analysis
• Hardware teardown and validation
• RF spectrum analysis
• Network traffic monitoring
• Supply chain verification
• Adversarial attack simulations
• Replay, jamming, and injection testing
• Jailbreak and firmware modification attempts

The audit included two of their newest and best selling drones:

• DJI Air 3S with RC 2 controller and DJI Fly app
• DJI Matrice 4E with RC Plus 2 Enterprise controller and Pilot 2 app

According to the report, no critical or high-risk vulnerabilities were identified during the engagement.

That doesn’t mean the systems were perfect (we all know that no connected technology is) but it does mean the catastrophic scenarios often discussed publicly (in D.C.) simply weren’t supported by the evidence gathered during testing.

Let’s answer the Big Question: Is DJI Sending Data Overseas?

This is the main issue that has been dominating conversations in Washington, D.C. for years. So OnDefend specifically tested whether flight data, telemetry, imagery, or operational information could be transmitted outside the United States or beyond operator control.

The report says they found no evidence of that happening.

The testing focused heavily on DJI’s Local Data Mode, which is designed to isolate flight operations from internet connectivity. According to the assessment, Local Data Mode successfully prevented user flight data from being transmitted to internet-based destinations while enabled.

Even more interesting, investigators found no evidence that historical flight data was later uploaded once the system returned to normal operating mode. This was an important finding. Because that very accusation has been made in testimony before Congressional committees.

While Local Data Mode isolated the flight-control applications themselves, the controller operating system could still establish network connections if Wi-Fi remained enabled. Because of that, OnDefend recommended disabling Wi-Fi entirely for operators seeking complete isolation. This is an important, actionable finding. Those companies worried about this should take note.

This finding is not exactly shocking, and should be expected in any audit. Any connected device with Wi-Fi enabled can potentially communicate externally unless isolated properly. 

But the key takeaway remains: This report found no evidence that DJI drones were transmitting operational data outside the United States without operator knowledge.

RF Testing and Hidden Transmission Concerns

Another major concern surrounding DJI has involved allegations of hidden communications systems or undocumented RF behavior.

So OnDefend tested that too.

The company conducted repeated RF spectrum scans from 1 MHz to 6 GHz in both lab and outdoor flight environments looking for unexplained emissions or covert communications channels. What they found was: normal drone behavior.

According to the report, all observed RF emissions could be tied back to documented operational functions or expected signal-generation behavior associated with DJI’s communications systems.

Investigators did identify some emissions not specifically listed in FCC documentation at the beginning of the engagement, but ultimately concluded those signals were tied to normal signal synthesis and expected operating states, not hidden communications systems.

The report also tested DJI’s O4 communications protocol against replay attacks, jamming attempts, and malformed signal injection. The protocol reportedly resisted those attacks during testing. Again, that’s significant because these are exactly the kinds of concerns often raised publicly without much technical evidence attached.

Supply Chain Concerns

Supply chain integrity has become a huge issue across the entire tech sector, not just drones. To address that concern, OnDefend independently purchased both retail and enterprise DJI systems without coordination from DJI itself.

The company then performed hardware teardowns, component cataloging, and hardware bill-of-materials validation to look for:

• Counterfeit components
• Unauthorized modifications
• Supply chain tampering
• Undocumented hardware changes

According to the report, none were found. That doesn’t mean supply chain risks don’t exist in modern electronics, of course they absolutely do across the entire industry. But this particular assessment found no evidence of tampering or hidden hardware modifications in the tested systems. None.

____________________________________________________________________________________________

Yes, They Found Some Issues

Now before anyone screams “See! It wasn’t perfect!”, let’s talk about the findings they did identify. After all, finding issues is the entire point of every audit ever done. I’d love to see any drone company (regardless of country of origin) survive an in depth audit and not find any issues.

OnDefend only documented ten low-risk findings and thirteen observations related mostly to software hardening and wireless configurations.

Examples included:

• Weak TLS cipher support
• Authentication tokens exposed in URLs
• Persistent wireless authentication settings
• Certain controller port behaviors
• Software hardening recommendations

In other words: pretty standard stuff for complex connected systems.

Importantly, the report specifically stated that none of the identified issues represented a realistic threat to flight safety or widespread exposure of sensitive information. Read that again, “none of the identified issues represented a realistic threat to flight safety or widespread exposure of sensitive information“.

DJI also reportedly worked with OnDefend during the engagement to address remediation opportunities, and at least one issue, involving a shared Wi-Fi password, was patched during testing.

That’s exactly how responsible security testing is supposed to work.

____________________________________________________________________________________________

Why This Matters

Whether you love DJI, hate DJI (why would you do that?!?!), or simply fly whatever gets the job done, this report matters because it injects actual technical evidence into a conversation that has often been dominated by politics and speculation. For years, many in the drone industry have asked for transparent third-party testing instead of assumptions.

Now we have it.

And frankly, this report is likely to become part of the ongoing conversation in Washington, D.C. surrounding drone policy, procurement restrictions, and national security concerns. Will it end the debate? Of course not.

But independent testing from a U.S.-based cybersecurity firm carries a lot more weight than internet rumors and political soundbites. And that’s what so many of the arguments have been based on, “internet rumors and political soundbites“.

____________________________________________________________________________________________

The Bigger Picture

One thing the report gets absolutely right is that cybersecurity is never “finished.” Firmware changes. Software evolves. Hardware revisions happen. Threats change constantly.

OnDefend emphasized the importance of continuous validation rather than one-time certification, recommending recurring testing across software releases, firmware updates, and hardware revisions. That’s the reality of modern connected technology. It’s not just drones.

At the end of the day, this assessment doesn’t prove DJI systems are magically immune from future vulnerabilities. No technology company can honestly claim that. What it does show is that when subjected to extensive independent testing, investigators found no evidence supporting many of the most serious allegations currently surrounding DJI platforms.

And in today’s environment, that’s a critically important distinction!

Download your copy of the DJI Press Release here.This