Independent cyber audit finds zero malware or backdoors in DJI drones — U.S. firm's hardware analysis challenges FCC ban amid ongoing $1.56 billion legal battle

DJI has published the results of an independent security assessment by U.S. cybersecurity firm OnDefend, which tested the DJI Air 3S consumer drone and Matrice 4E enterprise drone over five months and reported zero critical, high, or medium-risk findings. OnDefend also found no evidence of data being transmitted outside the U.S., no hidden backdoors, and no successful attempts to hack or tamper with either aircraft. The audit comes as DJI pursues a Ninth Circuit lawsuit against the FCC over the agency's decision last December to ban all new foreign-made drones from receiving U.S. equipment authorization, a move DJI claims will cost it $1.56 billion this year.

The ban took effect after a government-mandated national security review of DJI's products failed to begin before the December 2025 deadline; DJI initiated the OnDefend engagement in October on its own, whose team includes former U.S. military and government cybersecurity professionals.

The firm tested both drones across software, hardware, firmware, and radio frequency, including man-in-the-middle attack simulations and physical teardowns. OnDefend bought the test units independently: the Air 3S from a retail channel and the Matrice 4E from dealer inventory, both without DJI's involvement in the selection process.

Latest Videos From

Watch full video here:

The assessment identified 10 low-risk findings, including weak TLS protocols in the companion app and authentication tokens in URLs. OnDefend described these as consistent with standard practices for complex embedded systems, and DJI said it’s addressing them through firmware updates. OnDefend also recommended ongoing testing of future firmware, software updates, and hardware revisions, acknowledging that the audit represents a snapshot of two products at one point in time.

OnDefend is one of the independent security inspectors appointed by TikTok's U.S. Data Security division in June 2024 to perform continuous penetration testing of that platform. The audit of DJI means the firm has now inspected two Chinese-owned technology companies facing active U.S. national security proceedings.

While DJI maintains that the OnDefend audit was conducted independently, DJI did authorize and pay for it, and the overall arrangement differs from a government-directed review, which would have been conducted under federal oversight with no financial relationship to the subject.

DJI sued the FCC back in February, arguing the Covered List designation violated the U.S. Constitution. In an April court filing, DJI disclosed that the FCC had revoked authorizations for 14 existing products and that 25 planned 2026 launches can’t reach the U.S. market. Chinese customs data reported by Nikkei Asia show monthly civilian drone exports to the U.S. have fallen 60% to 70% year-on-year since December.

Follow Tom's Hardware on Google News, or add us as a preferred source, to get our latest news, analysis, & reviews in your feeds.