Danny Weber
An independent audit of DJI drones found no critical, high, or medium-risk security issues, but 10 low-risk items are being fixed. The results come as DJI fights US restrictions that could cost $1.56 billion annually.
DJI has published the results of an independent security audit conducted by the US company OnDefend. Over five months, specialists analyzed the consumer drone DJI Air 3S and the enterprise model Matrice 4E. They found no critical, high, or medium-risk issues. The audit also uncovered no hidden backdoors, malware, data transmission outside the US, or successful hacking attempts.
The audit comes amid DJI's ongoing conflict with US regulators. The company is challenging an FCC decision that effectively blocks certification of new foreign drones for the US market. DJI claims it could lose about $1.56 billion per year due to these restrictions, and some planned products may never reach the US market.
OnDefend examined the drones across several areas: software, firmware, hardware, and radio frequency channels. The team conducted man-in-the-middle attack simulations, physical disassembly of the devices, and component analysis. Notably, the company purchased the test units independently: the Air 3S from retail and the Matrice 4E from dealer inventory, with no involvement from DJI in selecting the specific devices.
However, the audit wasn't entirely clean. Experts found 10 low-risk issues, including weak TLS protocols in the companion app and authentication tokens in URLs. OnDefend described these problems as typical for complex embedded systems, and DJI said it is fixing them through firmware updates. The auditors emphasized that the check only reflects the state of these two models at a specific point in time and does not replace ongoing testing of future updates.
The choice of OnDefend is also noteworthy. The same firm was previously appointed as one of TikTok's independent security inspectors in the US. So it has now audited two Chinese tech companies under pressure from US authorities over national security concerns. However, DJI's audit was commissioned and paid for by the company itself, which sets it apart from a full review under federal oversight.
For DJI, the audit results provide an argument against the restrictions, but they are unlikely to fully resolve political and regulatory questions. The company has already argued in court that the FCC's actions violate the US Constitution. In April filings, it reported the revocation of permits for 14 existing products and the inability to launch 25 planned devices. Against this backdrop, exports of civilian drones from China to the US have already dropped by 60–70% year-on-year since December, according to Nikkei Asia.
© A. Krivonosov