OnDefend audit found no critical or high-risk vulnerabilities in tested DJI systems
DJI has released the results of an independent cybersecurity assessment conducted by U.S.-based security firm OnDefend, as the company continues its appeal of inclusion on the Federal Communications Commission’s Covered List.
The assessment examined two DJI drone systems, the DJI Air 3S and the DJI Matrice 4E, over a five-month period from October 2025 through March 2026. According to the report, OnDefend identified “zero critical, high, and medium-risk findings” during testing.
DJI said the assessment included software, hardware, firmware, and radio frequency testing. The company stated that consumer devices were purchased independently from retail channels without prior notice to DJI, while enterprise systems were sourced from dealer inventory.
Findings of the Security Assessment
Among the findings cited in the release:
- No evidence of data transmission outside the United States
- No identified backdoors or unauthorized remote access mechanisms
- No unexplained radio frequency emissions
- No detected supply chain tampering or unauthorized hardware modifications
The report also identified ten low-risk findings and thirteen observations related primarily to application security configurations and wireless hardening. DJI stated that remediation efforts are underway through future software updates.
In a statement included in the release, OnDefend said the testing identified “no clear evidence of hidden backdoors, no data transmissions outside the United States, and no viable pathways for hijacking or weaponization.”
DJI’s inclusion on the FCC Covered List in December 2025 has become one of the most closely watched policy issues in the U.S. drone industry. The Covered List identifies communications equipment and services that the FCC determines pose a risk to national security. DJI has challenged the designation, arguing that no specific technical vulnerability has been publicly identified.
The FCC has also received significant public feedback on the issue. More than 3,000 comments have reportedly been submitted regarding DJI’s petition challenging its Covered List designation.
Supply Chain Security Becomes a Larger Focus
Platform security may not address the real issue, however.
The debate around DJI and other foreign-manufactured drone systems has evolved over the past several years. Early discussions often centered on platform-level cybersecurity concerns, including questions about data transmission, remote access, and software integrity.
More recently, however, U.S. government officials have increasingly framed the issue as one of supply chain resilience and strategic manufacturing capacity.
At a recent public presentation, Defense Innovation Unit (DIU) Director Travis Metz described the challenge in broader terms.
“If we were at war with our likely adversaries and needed millions of these drones, those adversaries would not sell us the parts to build them,” Metz said. “We have to plan for a future where we cannot purchase parts from our adversaries.”
That shift in emphasis has become increasingly visible across multiple federal actions, including FCC proceedings, Department of Defense procurement programs, and broader efforts to encourage domestic drone manufacturing and component sourcing.
The FCC’s Covered List process itself has also expanded beyond complete platform bans. In recent months, the commission has established pathways for conditional approvals and exemptions for certain aircraft and components. Earlier FCC notices outlined exemptions for several systems that met specific criteria related to security review and supply chain considerations.
Ongoing FCC Review
The FCC’s review process now appears to involve both cybersecurity evaluation and broader questions surrounding trusted supply chains and long-term industrial capacity.
DJI maintains that the findings from the OnDefend assessment support its position that concerns underlying its Covered List designation are not supported by technical evidence.
“This is the most comprehensive independent security assessment ever undertaken on our products,” said Adam Welsh, Head of Global Policy at DJI. “These findings confirm what DJI has consistently maintained: our products are secure, our data practices are transparent, and the concerns underlying our FCC Covered List designation are not supported by technical evidence.”
The company said it will continue engaging with the FCC as its appeal process moves forward. DJI drones remain widely used across public safety, agriculture, infrastructure inspection, and media production sectors in the United States.
Read more:
Miriam McNabb is the Editor-in-Chief of DRONELIFE and CEO of JobForDrones, a professional drone services marketplace, and a fascinated observer of the emerging drone industry and the regulatory environment for drones. Miriam has penned over 3,000 articles focused on the commercial drone space and is an international speaker and recognized figure in the industry. Miriam has a degree from the University of Chicago and over 20 years of experience in high tech sales and marketing for new technologies.
For drone industry consulting or writing, Email Miriam.
TWITTER:@spaldingbarker
Subscribe to DroneLife here.
