Independent DJI drone security audit finds no critical risks

DJI has published the results of what it describes as the most comprehensive independent security assessment ever conducted on its products.

The evaluation was carried out by OnDefend, a U.S.-based cybersecurity firm trusted by enterprise organisations and national security stakeholders.

It produced zero critical, high, or medium-risk findings.

Although commissioned by DJI, the assessment was conducted independently.

To ensure objectivity, enterprise devices were sourced from existing dealer inventory, while consumer units were purchased directly from retail outlets without prior notification to DJI.

All devices tested were standard models distributed within the U.S. market, but the assessment's findings are globally relevant, as cybersecurity and data governance become increasingly important considerations in drone procurement and deployment.

Key findings

Key conclusions included:

• No evidence of data transmission outside the United States. All observed connections from DJI flight control applications were routed through U.S.-based infrastructure.

• No backdoors, hidden access mechanisms, or unauthorised remote access capabilities were identified.

• Controllers successfully resisted all jailbreak and firmware modification attempts.

• No unexplained RF emissions were detected. All signals observed during testing were linked to documented system functions. Emissions not previously referenced in FCC filings were determined to be standard by-products of signal generation processes rather than covert communication channels.

• No evidence of supply chain tampering or unauthorised hardware modifications was found.

Expert insight

"During the window of testing, OnDefend's assessment of the Air 3S and Matrice 4E drone systems identified no clear evidence of hidden backdoors, no data transmissions outside the United States, and no viable pathways for hijacking or weaponisation. No critical or high-risk findings were observed. To maintain national security assurance, ongoing testing of firmware, software updates, and verification of hardware and chip integrity are recommended for continuous validation."

— OnDefend 2026 DJI Security Assessment

Low-risk findings

The assessment identified ten low-risk findings and thirteen observations, which OnDefend noted were consistent with those commonly found in complex mobile and embedded systems.

These findings primarily related to application security settings, session management, and wireless security hardening.

According to the report, none posed a realistic threat to safe drone operations or created a significant risk of confidential information exposure.

DJI worked with OnDefend during the assessment to evaluate potential mitigations and is addressing the remaining items through future software updates.

Scope of testing

The engagement took place between October 2025 and March 2026 and focused on data sovereignty, hardware vulnerabilities, and drone manipulation risks.

Software testing

Testing included:

• Static and dynamic security analysis of the DJI Fly and DJI Pilot 2 applications.

• Full network traffic analysis during both standard operation and Local Data Mode.

• Adversarial simulations, including man-in-the-middle attacks, certificate bypass attempts, privilege escalation testing, and jailbreak attempts..

Hardware testing

Hardware evaluation included:

• Full-spectrum RF scanning from 1 MHz to 6 GHz.

• PCB-level teardown and component analysis.

• Supply chain integrity verification.

• RF exploitation testing, including replay, jamming, and signal injection attacks.

DJI response

Adam Welsh, DJI's Head of Global Policy, said the findings reinforce the company's long-standing position on product security and data transparency.

He said: "This is the most comprehensive independent security assessment ever undertaken on our products. These findings confirm what DJI has consistently maintained: our products are secure and our data practices are transparent."

Why OnDefend?

OnDefend's offensive security team includes former U.S. military and government specialists with extensive national security experience.

The company employs proprietary testing technologies that combine AI-driven imaging with silicon-level hardware analysis to identify unauthorised transmission pathways, counterfeit components, and undocumented hardware modifications.

Summary

OnDefend's six-month security assessment found no evidence of hidden backdoors, unauthorised data transfers outside the U.S., hardware tampering, or vulnerabilities that could allow DJI drones to be remotely hijacked or weaponised.

The audit identified no critical, high, or medium-risk security issues, with only a small number of low-risk findings that DJI is working to address.

The report represents one of the most extensive independent evaluations ever conducted on DJI products.

It adds fresh technical evidence to the wider debate surrounding drone security and data sovereignty, and shows the safe nature of DJI's drone solutions.