The US government has blocked drone giant DJI from receiving the FCC approval needed for new models to fly in the US. But after the government-mandated security review of DJI failed to even start before the December 2025 deadline, DJI made a security review happen anyway.
On Thursday, May 28, DJI shared the findings from a five-month security review of two DJI drones. The US security firm OnDefend has conducted an evaluation of the DJI Air 3S and Matrice 4E and found no evidence that data is transferred outside the US, while the team was unable to hack, jailbreak, or tamper with the UAVs.
The findings come amid an ongoing DJI lawsuit against the FCC over the ban and follow more than 3,000 public comments on the FCC’s drone proceedings, which DJI says is ten times the typical number of comments on similar FCC measures.
In December 2025, a law required DJI to pass a national security review by the deadline or face an automatic ban by the FCC. That deadline passed without such a security review even starting, effectively blocking not just DJI’s drones but cameras, gimbals, and accessories from receiving FCC approval to launch new products in the US. (DJI products launched before the ban are still available to purchase and use).
With US-based drone manufacturers focused on military and commercial uses, the ban effectively prevents new consumer drones from launching in the US until an American drone maker steps into the consumer market. The ban impacts not only aerial photographers and videographers but also first responders, small businesses, farmers, and other drone users, according to the list of FCC comments.
Before that December 2025 FCC deadline even passed, DJI asked OnDefend for an independent security review, which began in October 2025 and was completed in mid-March 2026. While the study was authorized by DJI, OnDefend is an independent security company whose staff includes US military and government professionals. The consumer drone tested was purchased from a retailer without notifying DJI, while the enterprise drone was purchased from existing dealer stock.
OnDefend put the drones through a list of different tests, including analyzing signals for any unauthorized data transmission, simulating Meddler-in-the-Middle hacks, attempting jailbreaks of the drones' apps, and disassembling the drones to analyze each component.
The inspection did not find any critical, high, or medium risks.
The review identified 10 low-risk findings with “limited real-world impact” that are “consistent with industry norms for complex mobile and embedded systems.” That list includes things like weak TLS protocols on the app and using authentication tokens in URLs. DJI says that those low-risk findings are being addressed with firmware updates.
“This is the most comprehensive independent security assessment ever undertaken on our products," Adam Welsh, Head of Global Policy at DJI, said in a statement. "These findings confirm what DJI has consistently maintained: our products are secure, our data practices are transparent, and the concerns underlying our FCC Covered List designation are not supported by technical evidence. We commissioned this independent assessment because we believe facts should inform policy decisions. We are calling on the FCC to consider these findings carefully as part of our ongoing appeal, and we remain committed to engaging constructively with relevant authorities."
The study suggests that there is no risk of DJI user data being sent to China, one of the concerns politicians voiced on the road to the National Defense Authorization Act that put DJI on the FCC-banned list.
However, the conversation on drone security has also shifted to highlighting supply chain concerns. Several critical drone components, including lithium-ion batteries and the magnets in drone motors, are sourced outside of the US.
The supply chain risk already has a handful of examples of what not being able to secure parts could mean for US drones. Amid the pushback on US tariffs, China temporarily blocked the export of Li-ion batteries to US-based drone companies, which prevented brands like Skydio from getting the batteries needed for their drones. China later paused the export controls for a year.
The security review is only for two drones and their respective controllers and apps, but could play a role in DJI’s ongoing lawsuit in an attempt to reverse the FCC ban.
The full security report is available to read online.
You may also like
Browse the best drones for photographers, or the best non-DJI drones.
