DJI has released the results of the most extensive independent cybersecurity assessment ever conducted on its drone ecosystem. The five-month evaluation, performed by U.S.-based cybersecurity firm OnDefend, examined both consumer and enterprise drone platforms and identified no critical, high, or medium-risk security vulnerabilities.
The assessment covered two systems: the DJI Air 3S paired with the DJI RC 2 controller, and the DJI Matrice 4E with the DJI RC Plus 2 Enterprise controller. Rather than using engineering samples supplied by DJI, the auditors purchased retail units through standard distribution channels, ensuring the devices matched those available to customers.
The report comes as drone cybersecurity continues to attract scrutiny in the United States, particularly among organizations responsible for critical infrastructure, public safety operations, and enterprise drone fleets.
Five Months of Independent Testing
The assessment was conducted between October 2025 and March 2026, covering both hardware and software across the tested platforms.
OnDefend examined the drones, remote controllers, mobile applications, firmware, radio communications, and internal hardware. The objective was to identify any hidden communication channels, undocumented hardware modifications, or software flaws that could expose user data or enable unauthorized control of the aircraft.
The evaluation extended beyond traditional penetration testing. Engineers completely disassembled the devices, analyzed printed circuit boards and silicon components, scanned radio frequencies from 1 MHz to 6 GHz, verified supply chain integrity, and attempted to compromise the systems using replay, jamming, and signal injection attacks.
On the software side, the team analyzed both DJI Fly and DJI Pilot 2. Testing included monitoring network traffic, validating Local Data Mode, attempting firmware modifications, bypassing security certificates, escalating application privileges, and jailbreaking the remote controllers.
No Evidence Supporting Major Security Concerns
According to the published report, none of these efforts uncovered evidence of serious security issues.
Among the key conclusions:
- No data transmissions outside the United States were detected during testing. All observed communications from DJI flight applications resolved to infrastructure hosted within the U.S.
- Investigators found no hidden backdoors or undocumented remote access mechanisms.
- Attempts to modify firmware or jailbreak the controllers were unsuccessful.
- Radio frequency analysis did not reveal covert communication channels. Signals that were not explicitly listed in previous FCC documentation were determined to be normal characteristics of radio transmission rather than hidden functionality.
- Hardware inspections found no signs of supply chain tampering, counterfeit components, or unauthorized modifications.
Perhaps most notably, the assessment reported zero critical, high, or medium-risk findings across the entire engagement.
Low-Risk Issues Were Still Identified
The audit did identify several issues, though none were considered significant.
OnDefend reported ten low-risk findings along with thirteen additional observations. Most related to application security settings, wireless hardening, and session management—areas that are routinely examined during enterprise cybersecurity assessments.
According to DJI, none of the findings posed a meaningful threat to flight operations or created a realistic risk of large-scale exposure of sensitive data. The company said it worked closely with OnDefend throughout the review and has already started addressing the recommendations in upcoming software updates.
Why These Particular Models?
The selected aircraft represent two very different parts of DJI’s portfolio.
The Air 3S is designed for advanced consumers and professional creators. As one of DJI’s flagship camera drones, it is commonly used for aerial photography, filmmaking, inspections, and mapping projects where enterprise-specific features are unnecessary.
The Matrice 4E serves a different audience. Built for commercial applications such as surveying, mapping, construction, infrastructure inspection, and public safety, it is part of DJI’s enterprise ecosystem and is widely deployed by organizations with stricter requirements for cybersecurity, fleet management, and regulatory compliance.
By testing both platforms, OnDefend evaluated two separate software ecosystems: DJI Fly, used on consumer products, and DJI Pilot 2, the company’s enterprise flight application.
Why OnDefend?
DJI chose OnDefend because of the firm’s expertise in offensive cybersecurity and national security testing.
According to DJI, the U.S.-based company brings together specialists with military and government experience and has developed proprietary tools for hardware analysis, RF inspection, and silicon-level verification. These capabilities are designed to uncover hidden communication paths, undocumented hardware modifications, counterfeit components, and signs of supply chain tampering—areas that often receive less attention in software-focused security assessments.
Although DJI commissioned the audit, it says the testing itself remained independent. OnDefend purchased the drones through normal retail channels rather than receiving pre-production or specially prepared units from DJI.
What This Means for Drone Operators
For organizations already using DJI platforms, the report offers additional technical insight into questions that frequently arise during procurement reviews and cybersecurity assessments.
Many enterprise operators now require independent evidence that connected devices protect sensitive operational data and resist unauthorized access. An assessment that includes firmware analysis, RF testing, hardware inspection, and adversarial penetration testing provides a much broader picture than application security testing alone.
While no security audit can guarantee that future software versions will remain free of vulnerabilities, the absence of critical or high-risk findings across five months of testing is a notable result. It also reinforces the importance of continuous security validation as drone platforms become increasingly integrated into surveying, emergency response, infrastructure inspection, and other mission-critical operations.
As enterprise drone programs continue to expand, independent cybersecurity assessments are likely to become a standard part of evaluating not only DJI products, but unmanned systems across the industry.



