China-based drone maker DJI released an independent security assessment of two drone models that found no evidence of hidden backdoors, foreign data exfiltration or covert radio transmissions. The release gives DJI fresh evidence in its fight with U.S. regulators over whether its products pose a national security risk.
The report, conducted by OnDefend and released by DJI on May 28, examined the DJI Air 3S with RC 2 controller and DJI Fly app, along with the Matrice 4E with RC Plus 2 Enterprise controller and Pilot 2 app. The review covered network traffic, firmware, mobile apps, controllers, radio frequency emissions, hardware components and supply chain integrity during a five-month engagement that ran from October 2025 to March 2026.
OnDefend reported zero critical, high or medium-risk findings. The firm said it found no evidence that controller devices or flight-control apps sent data outside the United States, no unauthorized remote access mechanisms, no unexplained RF emissions and no supply chain tampering.
The firm did find 10 low-risk results and 13 observations, mostly tied to application security configuration, session handling and wireless hardening. DJI said it worked with OnDefend on remediation during the review and will address remaining issues in later software releases.
OnDefend tested DJI’s Air 3S, a high-end consumer camera drone used by creators and small commercial operators. Also tested was the Matrice 4E, an enterprise drone used for surveying, mapping, construction, mining and inspection work. The Air 3S sells for about $1,100 to $1,600 depending on controller bundle, while the Matrice 4E is closer to a $5,000 commercial system.
DJI’s fight with Washington
While the report addresses allegations of backdoors, data transfer, RF emissions and device-level security, it does not fully answer broader concerns about supply chain dependence, Chinese legal jurisdiction, future firmware changes or the strategic risks of relying on a Chinese drone supplier for U.S. public safety and commercial operations.
The report lands in the middle of a larger fight over the future of DJI in the U.S. market. In December, the FCC added foreign-produced uncrewed aircraft systems and critical components to its Covered List, a designation tied to equipment viewed as an unacceptable national security risk. Once equipment is covered, FCC rules can prevent new products from receiving equipment authorization, limiting imports, marketing and sales in the U.S.
DJI sued in February to challenge the decision, arguing the process was flawed and harmful to U.S. customers. Existing DJI drones can still be sold and used, but the restriction has created uncertainty around new models, replacement parts and future product launches.
DJI accounts for more than 76% of commercial drones sold in the U.S., according to a 2025 market analysis by Alliance for System Safety of UAS through Research Excellence. Its products are used by first responders, farmers, infrastructure inspectors, creators, real estate businesses and public safety agencies.
The audit gives DJI a stronger technical record, but it does not end the policy fight. Critics of DJI restrictions argue regulators have leaned too heavily on suspicion without product-level proof. Supporters of the restrictions argue the issue is broader than whether two drones showed evidence of exfiltration during one testing window.
OnDefend acknowledged the limits of a point-in-time assessment. The firm recommended continuous validation of firmware, software, hardware and chip integrity as products and supply chains change.
