Back

DJI Drone Security Assessment Finds No Major Vulnerabilities Amid Ban Debate

Severity: Low (Score: 18.1)

Sources: ondefend.com, Dronedj, Commercialuavnews, Prnewswire, www.prnewswire.com

Published: 2026-05-28 · Updated: 2026-05-28

Keywords: findings, security, independent, assessment, releases, drone, zero

Summary

DJI has released findings from an independent security assessment conducted by OnDefend, which reported zero critical, high, or medium-risk vulnerabilities in its Air 3S and Matrice 4E drone systems. The assessment, spanning five months, included rigorous testing of hardware, firmware, and software, with no evidence of data transmission outside the U.S. or hidden backdoors. The report identified ten low-risk findings related to application security configurations, but none posed a significant threat to drone operations. DJI is appealing its designation on the FCC Covered List, arguing that the concerns are unfounded and calling for evidence-based policy decisions. The findings are expected to impact thousands of users and businesses reliant on DJI drones for various applications. The assessment was conducted independently, with consumer units purchased without prior notice to DJI. Key Points: • OnDefend's assessment found no critical or high-risk vulnerabilities in DJI drones. • Ten low-risk findings were identified, primarily related to application security configurations. • DJI is appealing its FCC Covered List designation, citing lack of evidence for security concerns.

Detailed Analysis

**Impact** Over 1,800 state and local law enforcement agencies in the United States rely on DJI drones for critical operations including search-and-rescue, accident reconstruction, tactical response, and disaster management. Additionally, sectors such as agriculture, roofing, utilities, surveying, filmmaking, and real estate use DJI drones extensively, with 43% of drone business users reporting that restrictions on DJI products would have an extremely negative or potentially business-ending impact. The assessment found no evidence of data exfiltration outside the U.S., mitigating concerns over data sovereignty risks. **Technical Details** The independent security assessment by OnDefend involved adversarial testing of the DJI Air 3S and Matrice 4E systems, including hardware teardown, firmware analysis, static and dynamic application security testing, full-spectrum radio frequency scanning (1 MHz to 6 GHz), and adversary simulations such as meddler-in-the-middle, replay attacks, jamming, injection attempts, privilege escalation, and jailbreak efforts. No critical, high, or medium-risk vulnerabilities, backdoors, unauthorized remote access mechanisms, or unexplained radio frequency emissions were identified. No supply chain tampering or counterfeit components were detected. No specific CVEs or IOCs were reported. **Recommended Response** Continue ongoing validation through regular firmware and software updates, with emphasis on monitoring for emerging vulnerabilities in hardware and chip integrity. Implement recommended remediations for identified low-risk findings related to application security configurations, session handling, and wireless hardening as DJI releases software patches. Maintain vigilance with network traffic analysis and radio frequency monitoring to detect any anomalous activity. No immediate critical mitigations are required based on current findings.

Source articles (6)

  • DJI Releases Findings of the Most Comprehensive Independent Security Assessment of Its ... — Prnewswire · 2026-05-28
    Zero Critical, High, or Medium-Risk Findings Identified Across Five Months of Adversarial Testing by U.S. Cybersecurity Firm OnDefend of the DJI Air 3S and Matrice 4E SHENZHEN, China , May 28, 2026 /P…
  • These new security findings could complicate America's DJI drone ban plans — Dronedj · 2026-05-28
    For years, millions of Americans who use DJI drones have been hearing the same warning on repeat: these drones could be a national security threat. Now, DJI has fired back with what may become one of…
  • Trust Center — www.dji.com · 2026-05-28
    We were the first drone maker to introduce built-in user privacy controls, launch a Bug Bounty program, and proactively submit products to regular independent security audits. Learn your drone’s built…
  • DJI Releases Findings from Independent Security Assessment — Commercialuavnews · 2026-05-28
    DJI has released the findings of an independent cybersecurity assessment of two of its drone systems, which they say produced zero critical, high, or medium-risk findings over five months of adversari…
  • Dji Releases Findings Of The Most Comprehensive Independent Security Assessment Of Its Drone Systems To Date 302784397 — www.prnewswire.com · 2026-05-28
    Zero Critical, High, or Medium-Risk Findings Identified Across Five Months of Adversarial Testing by U.S. Cybersecurity Firm OnDefend of the DJI Air 3S and Matrice 4E SHENZHEN, China , May 28, 2026 /P…
  • Iot Hardware Firmware Security Testing — ondefend.com · 2026-05-28

Timeline

  • 2025-10-01 — Security assessment begins: OnDefend starts a comprehensive evaluation of DJI's Air 3S and Matrice 4E drone systems.
  • 2026-03-31 — Security assessment concludes: The independent security assessment by OnDefend is completed, with findings released shortly after.
  • 2026-05-28 — DJI releases assessment findings: DJI announces the results of the independent assessment, confirming no major vulnerabilities.

Related entities

  • Man-in-the-Middle (Attack Type)
  • China (Country)
  • United States (Country)
  • dji.com (Domain)
  • [email protected] (Email)
  • Agriculture (Industry)
  • Government (Industry)
  • T1068 - Exploitation for Privilege Escalation (Mitre Attack)
  • T1557 - Adversary-in-the-Middle (Mitre Attack)
  • DJI Air 3S (Platform)
  • DJI Fly (Platform)
  • Matrice 4E (Platform)
  • Pilot 2 (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed