No evidence of hidden backdoors, no data transmissions outside the U.S.
In the long contest between technological openness and national security caution, DJI has placed a careful piece of evidence on the table: an independent five-month audit of two of its drone models, conducted by a U.S. cybersecurity firm, that found no backdoors, no unauthorized data flows, and no hidden radio channels. The company, listed on the FCC's Covered List since December 2025 without a publicly documented vulnerability, is now asking regulators to weigh technical findings against policy instinct. It is a moment that asks a deeper question — whether restriction without evidence is itself a form of risk, when the technology in question has become woven into the daily work of public safety and civic life.
- DJI's FCC Covered List designation has cast a regulatory shadow over more than 1,800 U.S. law enforcement agencies and entire commercial sectors that depend on its drones for critical operations.
- The absence of any specific, publicly disclosed vulnerability behind the FCC's December 2025 decision has left DJI fighting a designation it cannot fully see or directly refute.
- OnDefend's adversarial testing — including firmware jailbreaks, man-in-the-middle attacks, and hardware teardowns — found zero critical, high, or medium-risk vulnerabilities across both consumer and enterprise models.
- Ten low-risk findings and thirteen observations were identified, all characterized as unremarkable for complex embedded systems, with no evidence of data leaving U.S.-based infrastructure.
- DJI is now centering its FCC appeal on these findings, calling for an evidence-based policy review, while OnDefend urges continuous validation as firmware evolves.
- The outcome will determine whether a security audit can move regulatory policy, or whether geopolitical caution will hold regardless of what the technical record shows.
In late May 2026, DJI released the results of a five-month independent security assessment of its Air 3S and Matrice 4E drones, conducted by OnDefend, a U.S. cybersecurity firm with national security credentials. Running from October 2025 through March 2026, the examination was designed to answer three pointed questions: do these drones send data outside U.S. borders, do they contain hidden hardware vulnerabilities or backdoors, and can they be remotely hijacked or weaponized?
OnDefend purchased consumer units directly from retail shelves without advance notice to DJI, and sourced enterprise models from dealer inventory. The team then applied adversarial testing across software, hardware, and radio frequency domains — including network traffic analysis, component-level hardware teardowns, RF spectrum scanning, and attempts to exploit the systems through certificate bypass, privilege escalation, and firmware jailbreaks. None of these vectors revealed the vulnerabilities the assessment was built to find. All data connections resolved to U.S.-based infrastructure. No covert RF channels, backdoors, or unauthorized remote access mechanisms were detected. Ten low-risk findings and thirteen observations emerged — mostly routine application security configurations — consistent with what any complex mobile or embedded system might produce.
The timing matters. DJI has been on the FCC's Covered List since December 2025, a designation restricting federal procurement and signaling national security concern — yet one issued without the public disclosure of a specific, documented flaw. DJI has appealed, and the OnDefend findings are now the centerpiece of that challenge. Adam Welsh, DJI's Head of Global Policy, called the results a confirmation that the company's products are secure and its data practices transparent.
The stakes reach well beyond one company's regulatory standing. Over eighty percent of the roughly 1,800 U.S. state and local law enforcement agencies operating drones rely on DJI equipment for search and rescue, crime scene work, and tactical operations. Nearly half of commercial drone business users believe a DJI restriction would be severely damaging or business-ending. The question regulators must now answer is whether a clean independent audit is sufficient grounds to reconsider a Covered List designation, or whether broader policy concerns can sustain a restriction that the technical record does not yet support. OnDefend has recommended continuous validation as firmware updates are released — and that ongoing scrutiny may prove as consequential as the findings themselves.
In late May, DJI released the results of a five-month security examination of two of its drone models—the Air 3S and the Matrice 4E—conducted by OnDefend, a U.S. cybersecurity firm with deep ties to national security work. The assessment, which ran from October 2025 through March 2026, found no critical vulnerabilities, no high-risk flaws, and no medium-risk issues across the systems tested. It is the kind of clean bill of health that a company under regulatory pressure might hope for, and DJI is now wielding it as evidence that the concerns driving its inclusion on the FCC's Covered List are unfounded.
The testing was structured to address three specific national security worries: whether DJI drones transmit data outside U.S. borders, whether their hardware contains hidden vulnerabilities or backdoors, and whether they can be remotely hijacked or weaponized. OnDefend's investigators purchased consumer units directly from retail shelves without alerting DJI in advance, and sourced enterprise models from dealer inventory. They then subjected both to adversarial testing across three domains—software, hardware, and radio frequency emissions. The work was granular: static and dynamic application testing, full network traffic analysis, hardware teardowns at the component level, RF scanning across a broad spectrum, and attempts to exploit the systems through man-in-the-middle attacks, certificate bypass, privilege escalation, and firmware jailbreaks. None of these attack vectors succeeded in revealing the vulnerabilities the assessment was designed to find.
The findings were specific. OnDefend detected no evidence of data flowing to servers outside the United States. All connections from DJI's flight control applications resolved to U.S.-based infrastructure. The team found no backdoors, no unauthorized remote access mechanisms, and no unexplained radio frequency emissions that might suggest covert communication channels. The controllers resisted all attempts to jailbreak or modify their firmware. Supply chain integrity checks turned up no tampering or unauthorized hardware modifications. The assessment did identify ten low-risk findings and thirteen observations—mostly related to application security configurations, session handling, and wireless hardening—but these were characterized as consistent with what you would expect to find in any complex mobile or embedded system, and none posed a realistic threat to safe drone operation or widespread exposure of sensitive information.
DJI commissioned the assessment but did not control it. The company has been on the FCC's Covered List since December 2025, a designation that restricts federal procurement of its equipment and signals regulatory concern about national security risks. Notably, the FCC's decision to add DJI to the list was not accompanied by the disclosure of a specific, documented vulnerability. DJI has appealed the designation and has repeatedly called for a transparent, evidence-based technical review. The OnDefend findings are now the centerpiece of that appeal. Adam Welsh, DJI's Head of Global Policy, framed the results as vindication: the assessment confirms that DJI's products are secure, that the company's data practices are transparent, and that the technical concerns underlying the FCC's decision lack evidentiary support. He called on the FCC to weigh these findings carefully as it considers the company's appeal.
The stakes of this regulatory battle extend beyond DJI itself. More than eighty percent of the roughly 1,800 state and local law enforcement agencies that operate drones in the United States rely on DJI equipment for search and rescue, accident reconstruction, crime scene documentation, and tactical work. Restrictions on DJI technology would ripple through public safety operations. In the commercial sector, forty-three percent of drone business users surveyed believe they would face an extremely negative or business-ending impact if DJI were restricted. The company is also the industry standard for aerial cinematography, news gathering, and documentary production. The regulatory question, then, is not merely technical—it is about whether the U.S. government will restrict access to technology that has become embedded in the operational infrastructure of law enforcement, emergency response, and creative industries, absent clear evidence of a specific security flaw.
OnDefend's assessment is a point-in-time evaluation. The firm has recommended that continuous independent validation be conducted as DJI releases firmware and software updates. DJI has committed to addressing the low-risk findings identified in subsequent releases. The company remains in appeal of its FCC designation, and the technical findings released this week will likely feature prominently in that process. What happens next depends on whether regulators view the OnDefend assessment as sufficient evidence to reconsider the Covered List decision, or whether they maintain that the designation reflects broader policy concerns that no single security audit can fully address.
Citações Notáveis
These findings confirm what DJI has consistently maintained: our products are secure, our data practices are transparent, and the concerns underlying our FCC Covered List designation are not supported by technical evidence.— Adam Welsh, Head of Global Policy at DJI
No clear evidence of hidden backdoors, no data transmissions outside the United States, and no viable pathways for hijacking or weaponization were identified. To maintain national security assurance, ongoing testing of firmware and software updates is recommended.— OnDefend, in its assessment summary
A Conversa do Hearth Outra perspectiva sobre a história
Why did DJI commission this assessment now, and why OnDefend specifically?
DJI was added to the FCC's Covered List in December 2025 without any disclosed technical vulnerability. The company appealed and has been asking for evidence-based review. OnDefend was chosen because its team includes former military and government security professionals with deep national security experience—the kind of credibility that matters when you're trying to convince regulators. DJI needed an auditor that couldn't be dismissed as friendly.
What does "no critical vulnerabilities" actually mean in this context? Couldn't there be risks that just weren't found?
That's the real tension. This is a five-month assessment of specific firmware and hardware versions. OnDefend tested for the things regulators worry about most—backdoors, covert data transmission, remote hijacking capability. They found none. But as OnDefend itself noted, this is a snapshot. New firmware could introduce new risks. The assessment doesn't prove DJI is permanently secure; it proves these specific versions passed rigorous testing.
The FCC didn't cite a specific vulnerability when they added DJI to the list. So what was the actual concern?
That's the core of DJI's argument. The FCC's decision appeared to rest on broader geopolitical and supply chain concerns—the fact that DJI is Chinese-owned, that data could theoretically be accessed by the Chinese government. But those are policy concerns, not technical ones. OnDefend's findings don't address whether the Chinese government *could* pressure DJI; they address whether DJI's systems contain hidden mechanisms for data exfiltration. Those are different questions.
If eighty percent of U.S. law enforcement uses DJI drones, what happens if the FCC's designation stands?
That's the leverage point. Restricting DJI would force police departments, fire services, and search-and-rescue teams to switch to other platforms—many of which are less mature, more expensive, or simply not available at scale. The operational disruption would be real. DJI is betting that regulators won't accept that cost without ironclad evidence of a specific security flaw.
What does OnDefend's recommendation for "ongoing validation" really mean?
It means they're hedging. They're saying: we found nothing wrong with what we tested, but DJI will release updates, and those updates need to be checked too. It's a way of saying the assessment is thorough but not final—which is honest, but it also means DJI can't use this as a permanent shield against future scrutiny.