Clean Bill of Health or Clean Bill of Paper? Analysing the DJI Drone Security Audit

The CyberDiplomat

9 min read
Share
Clean Bill of Health or Clean Bill of Paper? Analysing the DJI Drone Security Audit

An independent firm found no malware, no backdoors, no data leaving the US. So why does the security debate not end there? Because audits have limits — and in national security, the limits matter as much as the findings.

The Headline and What Lies Beneath It

The headline is clean: zero critical, zero high, zero medium-risk findings. No malware. No backdoors. No data transmitted outside the United States. After five months of hardware teardowns, firmware analysis, radio frequency testing, and man-in-the-middle attack simulations, U.S. cybersecurity firm OnDefend found nothing alarming in two DJI drones — the Air 3S consumer model and the Matrice 4E enterprise unit.

DJI published these results as part of its $1.56 billion legal battle against the Federal Communications Commission, which last December banned all new foreign-made drones from receiving U.S. equipment authorization. The company had initiated the OnDefend engagement in October 2025, after a government-mandated national security review failed to begin before the statutory deadline — leaving DJI in regulatory limbo without ever having been formally evaluated.

The audit is the most technically rigorous public security assessment of DJI hardware conducted by a U.S. firm to date. It is also, by the auditors' own acknowledgement, a snapshot. And the gap between a clean snapshot and a clean bill of health is where the most important questions in this case live.

What the Audit Actually Tested — and What It Found

To evaluate the audit's significance, it is worth being precise about what OnDefend actually did.

The firm tested both drones across four domains: software, hardware, firmware, and radio frequency. It conducted man-in-the-middle attack simulations — attempts to intercept communications between the drone and its control systems. It performed physical teardowns — opening the hardware to examine components. It analysed firmware for known vulnerabilities and hidden functionality. It monitored network traffic to identify any data leaving the device and its destination.

Critically, OnDefend purchased the test units independently. The Air 3S came from a retail channel. The Matrice 4E came from dealer inventory. Neither was selected or supplied by DJI. This is a meaningful methodological safeguard: it significantly reduces the risk that DJI provided specially prepared "clean" units for testing.

The findings included ten low-risk items: weak TLS (Transport Layer Security) protocols in the companion app, and authentication tokens appearing in URLs. OnDefend described these as consistent with standard practices for complex embedded systems — present in comparable products across the industry, not specific to DJI or indicative of malicious intent. DJI said it is addressing them through firmware updates.

OnDefend found no evidence that data was being transmitted outside the United States. No hidden backdoors were identified. No successful exploitation of either aircraft was achieved.

This is a substantive result from a credible firm. It is not nothing.

The Audit Gap Problem: What No Audit of This Kind Can Establish

Here is where honest analysis has to introduce complexity that the headline does not.

Gap 1: The Snapshot Problem

OnDefend tested two specific products at one specific point in time. The report itself acknowledges this, recommending "ongoing testing of future firmware, software updates, and hardware revisions." This is not a criticism — it is a statement of the inherent limitation of any point-in-time audit.

Firmware is updateable. DJI pushes software updates to its drones regularly — this is true of virtually all modern embedded systems, and it is a feature, not a flaw. But it means that a device that is clean today can have functionality added, modified, or enabled tomorrow through an over-the-air update. The audit of the Air 3S as it existed in late 2025 cannot certify the Air 3S as it will exist in 2026, 2027, or 2028.

This is not hypothetical. Security researchers have previously documented cases where functionality changed materially between firmware versions in other connected device categories. The question is not whether DJI has done this — the audit found no evidence of it — but whether a five-month point-in-time assessment provides assurance about future behaviour. It does not, by design.

Gap 2: The Scope of "No Data Leaving the US" Finding

OnDefend's finding that no data was transmitted outside the United States is significant and carefully worded. But it is worth understanding precisely what this finding covers and what it does not.

The audit monitored network traffic from the tested devices during the testing period. It found no exfiltration to servers outside the US. What it cannot rule out — and does not claim to rule out — is transmission to US-based servers that are subsequently accessible to parties outside the US, data stored locally on the device for later transmission under different conditions (geofencing, specific trigger states, or future firmware), or transmission behaviour that occurs only under specific operational conditions not replicated during testing.

None of these scenarios is alleged to be occurring. But the finding of "no data leaving the US" is a specific, bounded claim — not a comprehensive certification of data handling.

Gap 3: Hardware Component Provenance

Physical teardowns can identify unexpected components, radio modules, and connectivity hardware. What they cannot easily establish is the complete provenance and trustworthiness of every component in a complex supply chain. Modern electronics contain components from dozens of suppliers. A hardware teardown confirms what is present; it does not comprehensively certify that every chip and module behaves only as documented, particularly against sophisticated firmware-level implants that may be dormant under normal conditions.

This is not a DJI-specific concern. It is a general challenge in hardware security assessment that affects any complex device with a multi-country supply chain. But it is relevant context for evaluating what a hardware teardown can and cannot establish.

Gap 4: The Independence Question

OnDefend conducted an independent assessment in the technical sense that matters most: they selected their own test units, designed their own test methodology, and reported their findings without DJI reviewing or editing the results first. These are genuine markers of methodological independence.

However, the audit was authorized and paid for by DJI. The article notes this difference explicitly: "the overall arrangement differs from a government-directed review, which would have been conducted under federal oversight with no financial relationship to the subject."

This does not mean OnDefend's findings are wrong. Paid audits produce accurate findings all the time. But it does mean the audit operates in a different accountability structure than a government-directed review. The auditor's professional reputation is the primary guarantor of objectivity — a strong guarantor, but not equivalent to the oversight, reproducibility, and legal accountability that a federal review would impose.

Notably, OnDefend is also one of the independent security inspectors performing continuous penetration testing for TikTok's US Data Security division — another Chinese-owned technology company under active national security scrutiny. The firm has genuine expertise in this space. It also now has a significant commercial stake in being seen as the credible auditor of choice for Chinese technology companies navigating US regulatory challenges. That is not a conflict that invalidates their work, but it is context worth holding.

Gap 5: What "Backdoor" Means in a Sophisticated State Actor Context

The finding of "no backdoors" is reported against the most conventional definition of the term: a hidden access mechanism embedded in the device that allows unauthorised remote access. This is an important and meaningful finding.

What it does not address is the more sophisticated concern raised in the national security context: not a hidden door, but an open one — a legitimate remote management interface, a cloud connectivity feature, or a software update mechanism that could, under different legal or political conditions, be directed to serve purposes other than those currently intended. The concern about Chinese technology companies under Chinese national security law is not primarily that they have secretly installed backdoors — it is that Chinese law can compel cooperation from Chinese companies in ways that US law cannot prevent, and that legitimate product functionality could become a vector under those conditions.

No commercial audit of hardware and firmware, however rigorous, can resolve a concern rooted in the legal and political relationship between a company and a foreign government.

The FCC Ban: Regulation by Deadline Failure

The background to the audit reveals something awkward about the regulatory process that the DJI litigation has brought into focus.

The FCC's ban on DJI equipment took effect not because a national security review was completed and found DJI products dangerous — but because the government-mandated review failed to begin before the December 2025 statutory deadline. DJI was placed on the Covered List and had products de-authorized without ever being formally evaluated through the process that was supposed to determine whether they posed a risk.

This is a significant procedural problem, and it is why DJI's Ninth Circuit lawsuit has at least colorable legal merit. The company argues that the Covered List designation violated the US Constitution — a claim that is easier to make when the regulatory process that was supposed to justify the designation was never actually completed.

The consequences are concrete and documented. The FCC revoked authorizations for 14 existing DJI products. Twenty-five planned 2026 launches cannot reach the US market. Chinese customs data reported by Nikkei Asia show monthly civilian drone exports to the US have fallen 60-70% year-on-year since December. A $1.56 billion annual revenue impact, by DJI's own calculation.

If the review had been completed and found serious vulnerabilities, the FCC's position would be defensible on the merits. As things stand, a major product category has been banned based on a process that never ran — which is precisely the kind of regulatory gap that courts exist to scrutinise.

The Broader Policy Failure

The DJI situation illustrates a fundamental tension in US technology security policy that this case has made impossible to ignore.

The US government has legitimate reasons to be concerned about technology infrastructure supplied by companies subject to Chinese national security law. Those concerns are serious, documented, and shared across administrations and intelligence agencies. They are not invented or pretextual.

At the same time, legitimate concern does not automatically translate into legally sound or technically well-founded regulation. The Covered List mechanism, as applied to DJI, produced a ban without a completed technical review — which is precisely backwards from a rule-of-law perspective. The result is that DJI, whose products dominate the US consumer and commercial drone market, is operating under a regulatory cloud that was never substantiated through the process designed to substantiate it.

The OnDefend audit, for all its acknowledged limitations, exists because the government review did not happen. DJI is, in effect, doing the government's job for it — funding an independent technical assessment that the FCC was supposed to conduct under federal oversight but did not. The irony is almost too neat.

What a Credible Resolution Would Look Like

The current situation — a company-funded audit challenging a ban imposed without a completed review — is not a stable equilibrium. Here is what genuine resolution of the security question would require:

government-directed technical review of DJI products, conducted by or under the oversight of CISA, NSA, or a designated independent body, with no financial relationship to DJI, with reproducible methodology, and with findings subject to appropriate classification handling. This is what was supposed to happen before December 2025. It should happen now, regardless of the litigation outcome.

Continuous, not point-in-time, compliance monitoring if DJI products are ultimately cleared for the market. A single audit, however thorough, cannot provide ongoing assurance for a product category that receives regular firmware updates. A framework analogous to what exists for financial services or critical infrastructure — ongoing monitoring, mandatory vulnerability disclosure, and regular third-party testing — would provide genuine security assurance rather than a one-time clean bill.

Statutory clarity on what Chinese national security law obligations mean for US product authorizations. The current framework addresses hardware and software but does not systematically address the legal-compulsion risk: the possibility that a Chinese company could be directed to modify product behaviour through legitimate update mechanisms. This requires policy work, not just technical audits.

A defined review timeline so that companies subject to Covered List proceedings know when and how they will be evaluated, and cannot be banned by deadline failure rather than adverse findings.

The Verdict on the Audit Itself

The OnDefend assessment is credible, methodologically sound in the ways that matter most, and meaningfully informative. The finding of zero critical, high, or medium vulnerabilities, combined with no observed data exfiltration outside the US, is a substantive result from a firm with relevant expertise and reputational accountability.

It is not, and cannot be, a comprehensive resolution of the national security question — because that question is not primarily a technical one. It is a legal, political, and strategic question about the relationship between Chinese technology companies and the Chinese state, and no hardware teardown answers it.

What the audit does do, clearly and usefully, is demonstrate that DJI products do not contain the obvious, crude security vulnerabilities that the most alarming version of the national security narrative implies. If there is a threat in these devices, it is not a smoking gun. It is more subtle, more contingent, and more dependent on geopolitical scenarios that no audit can assess.

That distinction matters. It should inform how regulators think about proportionate responses — and it should inform how courts assess whether the FCC's ban was grounded in anything more than a missed deadline.

What Comes Next

The Ninth Circuit case will be watched closely, both for its outcome and for its reasoning. If the court finds that the FCC violated DJI's constitutional rights by imposing a ban without completing the required review, it will send a signal about the limits of executive-branch technology restrictions that goes well beyond drones.

The drone market, meanwhile, has already been reshaped. A 60-70% decline in Chinese drone exports to the US represents not just DJI's lost revenue but a disruption to an industry — farmers, filmmakers, infrastructure inspectors, emergency responders — that had come to depend on products that are no longer available.

Whether DJI's drones are ultimately cleared, restricted, or banned under a completed security review, the US will need to make a decision that is based on evidence rather than bureaucratic failure. The OnDefend audit is the most serious piece of public evidence currently available. Its limitations are real and documented. Its findings are also real and documented.

Both things are true. Policy that acknowledges both would be a start.

DJI's OnDefend security assessment executive report is publicly available on DJI's content delivery network. The Ninth Circuit lawsuit was filed in February 2026. The FCC's foreign equipment ban took effect in December 2025.

Read more