DJI’s New U.S. Security Audit By OnDefend Finds No Backdoors, No Foreign Data Transmission In Air 3S And Matrice 4E

DJI released the results of an independent five-month security audit of the Air 3S and Matrice 4E this morning, with U.S. cybersecurity firm OnDefend finding zero critical, high, or medium-risk vulnerabilities across hardware, firmware, software, and radio frequency testing. No backdoors. No data sent outside the United States. No viable pathways for hijacking or weaponization. No supply chain tampering. The 16-page report, dated May 14, 2026, drops directly into the public comment record of one of the most consequential drone regulatory fights in U.S. history, days after the Federal Communications Commission‘s May 11 reply deadline closed on DJI’s petition for reconsideration of its Covered List designation. It is also the only third-party assessment of DJI hardware that has extended into silicon-level inspection and full 1 MHz to 6 GHz spectrum analysis.

OnDefend Tested Two Drones, Two Controllers, And Two Apps Across Five Months

OnDefend ran the engagement from October 21, 2025 through March 13, 2026, evaluating the DJI Air 3S with the RC 2 controller and the Matrice 4E with the RC Plus 2 Enterprise controller, along with the DJI Fly and Pilot 2 mobile applications. Two units of each model were tested across indoor and outdoor environments. Consumer units were bought from retail without notifying DJI. Enterprise units came out of existing dealer stock. The procurement model was designed so the units under test would match what any U.S. customer would receive.

The methodology covered three concerns the U.S. government has repeatedly cited against DJI: data sovereignty, hardware vulnerabilities, and drone manipulation. Software work included static and dynamic application security testing, full network traffic capture in both normal and Local Data Mode operation, meddler-in-the-middle attacks with certificate bypass, controller jailbreak attempts, and stress testing of exposed ports and services. Hardware work covered full-spectrum RF scanning from 1 MHz to 6 GHz, PCB-level teardowns with 1mm near-field antennas tracking emissions back to specific integrated circuits, supply chain integrity checks against the Hardware Bill of Materials, and RF exploitation testing including replay, jamming, and malformed packet injection against ADS-B and Remote ID.

Zero Critical, High, Or Medium-Risk Vulnerabilities Were Found

The headline result is the count of confirmed vulnerabilities at each severity tier: zero critical, zero high, zero medium, ten low-risk, and thirteen observations. OnDefend’s executive summary states the bottom line plainly:

“During the window of testing, OnDefend’s assessment of the Air 3S and Matrice 4E drone systems identified no clear evidence of hidden backdoors, no data transmissions outside the United States, and no viable pathways for hijacking or weaponization.”

The data sovereignty finding matters most for the FCC fight. Packet capture across pre-flight, in-flight, and post-flight states found that all connections from the DJI flight-control applications resolved to U.S.-based IP addresses. Some of those connections went to content-delivery infrastructure associated with Alibaba and Tencent, but the destinations themselves were hosted in the United States. Local Data Mode worked as documented in both flight apps, with no user data leaving the application even after the mode was toggled off. The controller operating system itself can still reach other services with LDM enabled, which OnDefend flagged as a documentation issue rather than an exfiltration risk.

On hardware, every RF emission OnDefend captured was traced to a documented system function. Some emissions had not been in DJI’s FCC filings at the start of the engagement, but the team correlated them with operating states, switched bands and channels on the controller, and confirmed the signals shifted in lockstep with the documented O4 control protocol. The conclusion: artifacts of phase-locked loop and divider circuits in the signal pre-processing path, not covert channels. The O4 protocol itself was fully resistant to replay, jamming, and injection attacks. No hidden hardware transmitters were identified.

The Ten Low-Risk Findings Cluster Around Wireless And Application Hardening

OnDefend identified ten low-risk software issues and a handful of operationally meaningful recommendations. The software findings include a persistent access token in DJI Fly, cryptographic key storage not aligned to best practice, authentication tokens exposed in URLs, a persistent pre-shared key for WPA wireless authentication on Air 3S drones, persistent cross-site scripting in DJI Fly, weak TLS protocols and ciphers, a denial-of-service condition on an open port, and a local file inclusion with path traversal in the FlyShare feature on the RC 2. None of these enable hijacking or mass data exposure. OnDefend characterized the findings as “consistent with industry norms for complex mobile and embedded systems.” One hardware recommendation worth flagging separately: OnDefend recommended that DJI remove 4G dongle-associated antenna structures from drones sold in the U.S. market. The recommendation does not allege covert function. It is a clean engineering ask DJI can act on in the next hardware revision. A default shared Wi-Fi password issue on the RC 2 was patched by DJI via firmware update during the engagement.

OnDefend’s TikTok Background Makes This Report Hard To Dismiss

The credibility of the inspector is the question critics will raise first, since DJI authorized the engagement and disclosed paying for it. OnDefend is based in Jacksonville, Florida, with a Washington, D.C. office, and its offensive security team is staffed with U.S. military and government professionals. The company was selected as one of the Independent Security Inspectors for TikTok USDS, the U.S. data security program created to address national security concerns about that platform, and the work led to a continuous security inspector program for other hyperscalers. JAXUSA Partnership named OnDefend its 2025 Innovator of the Year. If the same inspector framework is good enough for one of the most politically scrutinized Chinese-owned platforms in the United States, the argument that it is not good enough for a drone audit gets thinner.

The Audit Lands As The FCC Reconsideration Record Closes And The Ninth Circuit Fight Continues

The timing is not accidental. The FCC’s public comment process on DJI’s petition for reconsideration of the Covered List designation closed with replies due May 11, 2026, drawing more than 3,000 comments across the proceeding. That volume is roughly ten times what comparable FCC proceedings draw, and most of the comments came from law enforcement agencies, fire departments, search-and-rescue teams, farmers, and small businesses whose access to DJI hardware is being constrained without a publicly identified vulnerability behind the restriction.

The Department of Defense filed its opposition in April citing classified intelligence that the agency did not put on the public docket. The asymmetry is the central problem in the entire proceeding. The classified intelligence pipeline cannot be tested in public. The public claims about data going to China, hidden backdoors, hijacking risk, and supply chain tampering can be tested in public. OnDefend just tested them.

This is the latest in a long line of independent third-party audits DJI has subjected its products to in recent years. FTI Consulting audited the Mavic 3T, Pilot 2, and RC Pro in 2024 and found no unexpected data transmission and zero outbound traffic in Local Data Mode. Booz Allen Hamilton produced a similar finding on earlier hardware. So did Kivu Consulting. So did Germany’s TÜV SÜD. The Idaho National Laboratory conducted a Department of Homeland Security-directed evaluation. No malware was found. No backdoors. No foreign data exfiltration. The December 22, 2025 FCC decision adding all foreign-made drones to the Covered List arrived without any U.S. national security agency having completed the audit Congress mandated under Section 1709 of the FY2025 NDAA.

Adam Welsh, DJI’s Head of Global Policy, said in the company’s statement announcing the report that the OnDefend findings “confirm what DJI has consistently maintained: our products are secure, our data practices are transparent, and the concerns underlying our FCC Covered List designation are not supported by technical evidence.”

DroneXL’s Take

I have covered every DJI security audit going back to the Kivu Consulting work, and I wrote up the FTI 2024 Mavic 3T result the day the report dropped. That is years of watching the same loop run. A reputable independent inspector tests DJI hardware. The findings come back clean. Congress and the agencies treat the report as background noise. The next audit cycle starts. OnDefend is the latest run through this loop, and it is the most technically aggressive engagement yet, the first to image every chip on the board and compare against expected supply chain provenance with AI-driven analysis.

The audit cannot win the political fight on its own, and pretending otherwise misreads where the FCC proceeding actually lives. The agency record is loaded against DJI. The DoD filing in April invoked classified intelligence the public cannot see. The structural problem with that asymmetry has not changed. What the OnDefend report does is move the falsifiable public claims into testable territory. If a U.S. intelligence agency holds non-public evidence that DJI drones contain hidden backdoors, that evidence now contradicts a published technical report from a U.S. inspector the government has trusted with TikTok. The same applies to claims about data being exfiltrated to China or covert RF transmitters embedded in the hardware. The contradiction has to live somewhere.

Two things to watch. First, whether the OnDefend report is formally entered into ET Docket 26-22 as supplemental evidence or referenced in DJI’s Ninth Circuit briefing in Case 26-1029. The Ninth Circuit is where the substantive statutory question lives, and a technically rigorous audit from a U.S. inspector with TikTok-grade credentials reaches the bench differently than a self-published manufacturer white paper. Second, whether the Foundation for Defense of Democracies or the Pentagon files a substantive technical rebuttal that engages with the OnDefend methodology rather than restating the cybersecurity concerns the audit was designed to test. A rebuttal that ignores the audit and reasserts prior claims is a tell. A rebuttal that points at the audit’s point-in-time limitation and asks for continuous testing is the response that moves the conversation forward, and OnDefend itself recommended exactly that cadence.

The open question the audit does not answer, and was never designed to answer, is whether the Department of War’s classified record contains information that would change a reasonable technical reader’s view. That is not a question OnDefend can settle. It is a question that lives at the intersection of the Ninth Circuit’s tolerance for ex parte classified evidence and the FCC’s willingness to defend a sweeping country-of-origin policy on a record whose public side keeps getting weaker.

Sources: DJI press release via PRNewswire; OnDefend DJI Security Assessment Executive Report (May 14, 2026); DJI Public Relations correspondence provided directly to DroneXL.

DroneXL uses automated tools to support research and source retrieval. All reporting and editorial perspectives are by Haye Kesteloo.