Particle.news

DJI Publishes U.S. Security Audit Finding No Major Flaws in Two Drone Models

The report is intended to bolster DJI’s appeal of the FCC Covered List by supplying technical evidence for regulators to consider.

Overview

  • DJI published the OnDefend assessment Thursday reporting zero critical, high, or medium risks for the Air 3S and Matrice 4E and finding no evidence of backdoors or data leaving the United States.
  • OnDefend ran a five-month adversarial engagement from October 2025 to March 2026 that used retail- and dealer-procured units and combined hardware teardowns, full-spectrum RF scanning, and app-level network and attack simulations.
  • The audit identified ten low-risk findings and thirteen observations that included exposed authentication tokens in URLs, weak TLS ciphers, persistent cross-site scripting, an open-port denial-of-service condition, a local file inclusion bug, and a default shared WiFi password that DJI has since patched.
  • OnDefend recommended ongoing independent validation, migrating content-delivery infrastructure away from non-U.S. providers such as Alibaba and Tencent for U.S. traffic, and removing 4G-dongle antenna structures from drones sold in the U.S.
  • Independent observers say the vendor-funded, point-in-time test of two models strengthens DJI’s appeal but cannot replace a full government national-security review and may not account for future firmware or hardware changes, so regulators and courts will remain the deciding forums.