Can a company credibly audit itself? Or, to be precise, can a company pay for an audit and have the results be meaningful?
This is the core tension underlying DJI's newly released security assessment, conducted by U.S.-based cybersecurity firm OnDefend. The audit examined two DJI drone systems over five months of adversarial testing, and the headline finding is striking: zero critical, high, or medium-risk vulnerabilities discovered.
For anyone following the ongoing FCC Covered List debate, this sounds like a vindication. DJI has been fighting its December 2025 inclusion on that list, which effectively brands the company a national security threat. An independent security firm finding no serious vulnerabilities would seem to undercut that designation.
But the situation is more complicated than the headline suggests. It's worth noting that security audits, even rigorous ones, have significant limitations. And the question of who pays for the research always matters.
According to reporting from DroneDJ, Dronelife, and The Drone Girl, the OnDefend assessment focused on two specific products: the DJI Air 3S and one other system (the exact second model isn't consistently specified across sources, which is a small but notable gap in the reporting).
関連記事
More in Drones
Three new papers tackle UAV path planning, but they're all dancing around the same uncomfortable truth about uncertainty.
Mark Kowalski · Yesterday · 6 min
Norway's Tundra Drone is bringing swap-and-go payloads to the UK through Coptrz, and I've got thoughts about why this matters more than the press release suggests.
Robert "Bob" Macintosh · 2 days ago · 4 min
New research suggests semantic-aware systems find objects dramatically faster than pure coverage methods, but the tradeoffs are more nuanced than the headlines suggest.
James Chen · 2 days ago · 3 min
Two new papers show we've quietly solved the sim-to-real problem for agricultural drones, and most coverage is missing why that matters.
The testing methodology appears to have been adversarial penetration testing, the kind where security researchers actively try to break into systems, exfiltrate data, or identify exploitable weaknesses. Five months is a reasonable timeframe for this kind of work. Not exhaustive, but not a cursory glance either.
The key finding, again, is that OnDefend found no critical or high-risk vulnerabilities. They also found no medium-risk issues. This is, to be precise, a better result than many enterprise software products would achieve under similar scrutiny.
But I want to be careful here about what this does and doesn't tell us.
First, the scope. Testing two drone models is not the same as testing DJI's entire product ecosystem. The company manufactures dozens of drone models, plus controllers, software applications, and cloud services. The Air 3S is a consumer drone. The security concerns raised by U.S. lawmakers have often focused on enterprise and government use cases, where different products and different data flows are involved.
Second, the funding source. DJI commissioned and paid for this audit. That doesn't automatically invalidate the findings. OnDefend is a legitimate U.S. security firm, and their professional reputation depends on producing credible work. But it does mean we should treat this as one data point, not as definitive proof of anything. Independent verification, ideally by researchers without financial ties to DJI, would strengthen the case considerably.
Third, the nature of security testing itself. A penetration test can tell you that a specific team, using specific methods, over a specific timeframe, didn't find critical vulnerabilities. It cannot tell you that no vulnerabilities exist. This is a fundamental limitation of all security research. The absence of evidence is not evidence of absence, as the saying goes.
Fourth, and this is where it gets genuinely complicated, the national security concerns about DJI have never been purely about technical vulnerabilities in the drones themselves. The worry, as articulated by various U.S. officials and legislators, is about data flows. Where does flight data go? Who can access it? What are the legal obligations of a Chinese company to share data with Chinese intelligence services under China's national security laws?
A penetration test of drone firmware doesn't really address those questions. It tells you whether the drone can be hacked by adversaries. It doesn't tell you whether the company itself, under legal compulsion or otherwise, might share data with the Chinese government.
Actually, the research shows... well, it shows what it was designed to show. The audit appears to have focused on the devices themselves, on whether the hardware and software contain exploitable security flaws.
What remains unclear, based on the available reporting, is whether the assessment examined:
DJI's cloud infrastructure and data storage practices
The DJI Fly app and its data collection behaviors
Backend systems that receive telemetry from drones
The company's data retention and sharing policies
Potential for remote access or updates that could change device behavior
These are the areas where the more substantive national security debates are happening. A drone that's technically secure against external hackers could still be problematic if it's sending flight logs, imagery, or location data to servers accessible by foreign governments.
I'd want to see a broader assessment that covers the entire data lifecycle, from capture to storage to deletion, before drawing strong conclusions about the security implications of using DJI products.
The timing of this release is obviously not coincidental. DJI is actively appealing its inclusion on the FCC's Covered List, and the company has been making increasingly aggressive public arguments that the security concerns are overblown or politically motivated.
This audit fits into that strategy. It's a concrete, technical document that DJI can point to when lawmakers or regulators raise security concerns. The response writes itself: we hired American security experts, they spent five months trying to break our drones, they couldn't find anything serious.
Whether this will actually influence the policy debate remains to be seen. The FCC Covered List designation is based on a determination that DJI poses an unacceptable national security risk, and that determination involves classified intelligence assessments that aren't publicly available. A commercial security audit, however thorough, may not address whatever specific concerns drove that classification.
There's also a broader political dynamic at play. The push to restrict Chinese technology companies has bipartisan support in Congress, and it's driven by strategic competition concerns that go beyond any specific technical finding. Even if DJI's drones are technically secure, some policymakers would argue that reducing dependence on Chinese-manufactured technology is a reasonable goal in itself.
If we're going to have a serious, evidence-based debate about DJI and national security, we need better information than we currently have. Here's what would actually be useful:
Independent replication. Have other security firms, not funded by DJI, conduct similar assessments. If multiple independent teams reach the same conclusions, that's much stronger evidence than a single company-funded study.
Broader scope. Test the full ecosystem, not just two consumer drones. Include the apps, the cloud services, the enterprise products, the data flows.
Transparency from the government. If the national security concerns are based on specific intelligence, it would help the public debate to have at least a summary of what those concerns actually are. Right now, we're arguing in the dark.
Third-party data flow analysis. Independent researchers should examine what data DJI products actually transmit, to where, and under what circumstances. This kind of traffic analysis has been done for other products. I'm not aware of a comprehensive, recent, independent analysis for DJI's current lineup.
The current situation, where DJI releases a favorable audit and critics dismiss it, while the government makes claims it won't substantiate, is basically unsatisfying for everyone who wants to understand what's actually true.
If you're an American using DJI drones for commercial or recreational purposes, this audit is... mildly reassuring? It suggests that the drones themselves aren't riddled with obvious security holes that would let random hackers take control or steal your data.
But it doesn't resolve the larger questions about whether using DJI products exposes you to risks from the Chinese government specifically. Those concerns are either overblown or legitimate, depending on who you ask, and this audit doesn't really help us figure out which.
For enterprise and government users, the calculus is different. The FCC Covered List designation has real consequences for procurement decisions, and many organizations are already shifting to alternative drone manufacturers regardless of the technical merits. That trend seems likely to continue.
The honest answer is that we don't have enough public information to make confident judgments about DJI's security posture. This audit adds one piece of evidence to the pile, but it's not the definitive answer that either side of the debate wants it to be.
Some things I'm still wondering about, and that the available reporting doesn't answer:
What was the second drone model tested, exactly? The reporting is inconsistent on this point.
Did OnDefend examine the mobile applications, or only the drone hardware and firmware?
What specific testing methodologies were used? (Penetration testing covers a wide range of approaches.)
Were there any low-risk findings? The reporting mentions no critical, high, or medium issues, but doesn't address whether minor issues were discovered.
Will DJI release the full technical report, or only a summary?
These details matter for evaluating the strength of the findings. I hope more information becomes available as this story develops.
For now, this audit is best understood as DJI's opening argument in its appeal of the FCC designation. It's a real argument, based on real testing, but it's also clearly part of a legal and public relations strategy. Treat it accordingly.
