No critical, high or medium risk findings identified during five months of adverse testing conducted by US cybersecurity company OnDefend on DJI Air 3S and Matrice 4E
/PRNewswire/ — DJI, the world’s leading drone manufacturer, today released the findings of an independent security assessment conducted by OnDefend, a U.S.-based cybersecurity company trusted by national security actors and business leaders. The evaluation covered DJI Air 3S with the RC 2 remote controller and DJI Matrice 4E with the RC Plus 2 Enterprise remote controller, subjecting both systems to advanced penetration testing covering the areas of software, hardware, and radio frequency.
The evaluation was authorized by DJI, but carried out independently. To preserve the integrity of the evaluation, consumer units were purchased directly from retail outlets without prior notification to DJI, and enterprise units were obtained from existing distributor inventories. All devices tested reflect standard US market distribution.
Main findings
The assessment did not reveal any critical, high or medium risk findings. More precisely :
- No evidence of data transmission outside the United States has been identified. All connections observed from DJI flight control applications resolved to infrastructure located in the United States.
- No backdoors or unauthorized remote access mechanisms were found. The controllers have resisted all attempts to jailbreak and modify the firmware.
- No unexplained radio frequency emissions have been identified. All detected signals have been attributed to known system functions. Broadcasts that were not previously documented in FCC records were confirmed to be standard artifacts of signal generation methods, not surreptitious channels.
- No supply chain alterations or unauthorized hardware modifications were detected.
Low risk findings and corrective actions
Ten low-risk findings and thirteen observations were identified, consistent with industry standards for complex mobile and embedded systems. These mainly concerned application security configurations, session management and strengthening wireless security. None presented a real risk for the safety of use of the drone or for a massive exposure of confidential information. DJI collaborated with OnDefend on potential corrective actions during the mission and is working to address remaining items in subsequent software releases.
“During the testing period, OnDefend’s evaluation of the Air 3S and Matrice 4E drone systems identified no clear evidence of hidden backdoors, no data transmission outside the United States, and no exploitable pathways for diversion or weaponization. » No critical or high-risk findings were observed. To ensure national security, continuous testing of firmware, software updates as well as verification of hardware and chip integrity are recommended for continuous and uninterrupted validation.” – OnDefend 2026 DJI Security Assessment
“This is the most comprehensive independent safety assessment ever conducted on our products,” said Adam Welsh, head of global policies at DJI. “These findings confirm what DJI has always maintained: our products are safe, our data practices are transparent, and the concerns that led to our inclusion on the FCC Covered List are not supported by technical evidence. » We commissioned this independent assessment because we believe that facts should inform policy decisions. We call on the FCC to carefully consider these findings as part of our ongoing appeal, and we remain committed to engaging constructively with the appropriate authorities.
“What was tested and how”
The mission took place from October 2025 to March 2026 and focused on three national security issues: data sovereignty, hardware vulnerabilities and the risks of drone manipulation.
As part of the independent evaluation, OnDefend performed hardware and firmware testing that went well beyond traditional cybersecurity validations. Leveraging its proprietary hardware testing technology and capabilities to perform advanced teardown, RF and silicon-level analysis designed to identify unauthorized transmission paths, clandestine RF channels, counterfeit components, undocumented modifications, concealed antennas and broader supply chain integrity risks.
On the software side, OnDefend performed static and dynamic application security testing on DJI Fly and Pilot 2 applications, comprehensive network traffic analysis for standard and local data mode operation, and adversary simulations including man-in-the-middle attacks, certificate bypasses, privilege escalations, and jailbreak attempts.
On the hardware side, the OnDefend team, enabled by its proprietary hardware test technology, performed a comprehensive radio frequency spectrum analysis from 1 MHz to 6 GHz, PCB-level hardware teardown and component analysis, supply chain integrity verification, and RF exploit testing including replay, jamming, and injection attacks.
Why OnDefend was chosen as an independent safety inspector
OnDefend’s offensive security team includes U.S. military and government professionals with extensive national security operational experience. The company specializes in advanced adversarial testing designed to identify national security, supply chain and technological integrity risks in software, hardware and supply chain environments. Its proprietary testing technology uses AI-driven imaging and silicon-level analysis to identify unauthorized transmission paths, counterfeit components, and undocumented hardware modifications, testing capabilities that are not typically part of standard hardware security assessments.
Engagement the test
Findings reflect a defined testing window. As with any point-in-time evaluation, findings are specific to the software, firmware, and hardware versions evaluated during the testing period. OnDefend recommended that ongoing independent validations be conducted as updates are released.
Background: Designation on the FCC coverage list
DJI’s inclusion on the FCC Covered List in December 2025 was not accompanied by the identification of a specific, documented security vulnerability. DJI has appealed this designation and has consistently called for a transparent, evidence-based technical review.
DJI drones are widely used in public safety, agriculture, infrastructure, and creative industries in the United States. Restrictions on access to its technology would have downstream impacts on the operational capacity, business continuity and cost structures of users across these sectors:
- More than 80%[1] Of the more than 1,800 state and local law enforcement agencies using drones, they rely on DJI for search and rescue operations, accident reconstruction, crime scene documentation and tactical surveillance.
- 43% of professional drone users believe that they would suffer an extremely negative impact, even fatal for their activity, in the event of restrictions[2] imposées à DJI.
- DJI is the industry standard for aerial cinematography, news gathering and documentary production.
For more information about this audit, read the executive summary and visit the DJI Trust Center to learn more about DJI’s continued investments in product security and independent validation.