A five‑month security assessment by U.S. firm OnDefend uncovered zero critical vulnerabilities, backdoors, or data exfiltration in DJI’s Air 3S and Matrice 4E drones. The findings arrive as DJI fights a Ninth Circuit case against the FCC’s blanket ban on new foreign‑made drones, a move the company says could cost $1.56 billion this year.
)
Announcement
DJI has released the results of an independent security audit performed by U.S. cybersecurity firm OnDefend. Over a five‑month period the team examined the consumer‑grade DJI Air 3S and the enterprise‑grade Matrice 4E, concluding that neither device contained critical, high‑ or medium‑risk vulnerabilities, nor any hidden backdoors or unauthorized data transmissions.
The report is timed to coincide with DJI’s ongoing Ninth Circuit lawsuit against the Federal Communications Commission (FCC). The FCC’s December 2023 decision placed all new foreign‑made drones on a “Covered List,” effectively blocking them from receiving U.S. equipment authorizations. DJI estimates the ban will shave $1.56 billion from its 2024 revenue.
Technical specs of the audit
| Aspect | Details |
|---|---|
| Scope | Software, firmware, hardware, and radio‑frequency layers; includes man‑in‑the‑middle (MITM) simulations and full physical teardowns |
| Test units | Air 3S purchased from a retail channel; Matrice 4E sourced from dealer inventory – no DJI involvement in selection |
| Methodology | Static code analysis, dynamic fuzzing, packet‑capture of telemetry, side‑channel emission testing, and hardware reverse‑engineering |
| Findings | 10 low‑risk issues (e.g., TLS 1.0 fallback in companion app, authentication tokens exposed in URLs). All classified as “acceptable for complex embedded systems.” |
| Critical outcome | Zero critical, high, or medium‑risk vulnerabilities; no evidence of data leaving the United States; no exploitable backdoors |
OnDefend’s team includes former U.S. military cyber operators and former government security analysts, lending weight to the assessment. The firm is also one of the independent inspectors appointed by TikTok’s U.S. Data Security division earlier this year, indicating a growing reliance on third‑party penetration testing for Chinese‑origin tech under U.S. scrutiny.
Market implications
- Regulatory pressure vs. technical evidence – The FCC’s ban rests on a national‑security review that never commenced before the December 2025 deadline. OnDefend’s clean bill of health does not alter the legal standard, but it provides DJI with a data‑driven counter‑argument that the devices pose no hidden risk.
- Revenue impact – DJI’s internal filing shows the FCC has already revoked authorizations for 14 existing models and blocked 25 planned 2026 launches. Assuming an average unit price of $1,200, the lost sales volume aligns with the $1.56 billion hit cited by the company.
- Supply‑chain shock – Chinese customs data compiled by Nikkei Asia reveal U.S. civilian drone imports have dropped 60‑70 % YoY since the ban took effect. That contraction is forcing U.S. distributors to seek alternative suppliers, potentially accelerating the market share of domestic players such as Skydio and Autel Robotics.
- Future compliance strategy – OnDefend recommends continuous testing of firmware updates and hardware revisions. If DJI adopts an open‑source‑style disclosure pipeline, it could rebuild confidence among U.S. government buyers and mitigate the risk of further bans.
- Legal precedent – The case may set a benchmark for how technical audits are weighed against statutory national‑security determinations. A favorable ruling for DJI could pressure the FCC to require independent security certifications before imposing blanket bans.
Outlook
While the audit removes immediate technical doubts about the Air 3S and Matrice 4E, the broader regulatory environment remains hostile. DJI’s lawsuit will likely hinge on whether the FCC’s “Covered List” designation can be justified without a completed security review. Until a court clarifies that balance, U.S. distributors should monitor both the legal docket and any follow‑up audit reports, especially as DJI pledges firmware patches for the low‑risk findings disclosed.
For readers interested in the full audit methodology, see OnDefend’s public overview here.
Luke James contributed to this analysis.
Comments
Please log in or register to join the discussion