An Analysis of Vulnerabilities, Data Practices, and Operational Security

Disclosure Statement

This disclosure is provided to ensure transparency regarding the author’s professional background and potential biases. The author has maintained both collaborative and contentious relations with DJI, including direct engagement with senior US executives. Previous professional experience includes working with counter-drone technology development teams whose mandate encompassed identifying and exploiting drone vulnerabilities for defensive applications. Despite these complex professional relationships, the author has recommended DJI drones for certain use cases and has acknowledged that recent DJI features, such as Local Data Mode (LDM), may be sufficient for non-sensitive applications when properly configured.

This report examines DJI drone security from multiple analytical perspectives, including political considerations, supply chain integrity, commercial implications, trust frameworks, national security concerns, and personal privacy protections. The central thesis maintains that modern DJI drones equipped with properly configured Local Data Mode represent a viable option for non-sensitive applications, subject to specific caveats detailed in the appendices. However, historical patterns of behavior and ongoing security issues warrant careful scrutiny, particularly for government, military, or critical infrastructure deployments. This analysis explores the nuanced definition of ‘safe’ operation and provides evidence-based guidance for risk mitigation across various operational contexts.

Security Definitions and Framework

Core Security Concepts

Article content

Figure 1: Security Severity Classification

Security (Information Security): The practice of protecting systems, networks, devices, and data from unauthorized access, modification, disclosure, or destruction. Within the drone ecosystem, security encompasses the protection of flight control systems, communication channels, stored data, and user privacy from malicious actors. This definition extends beyond technical vulnerabilities to include operational security, supply chain integrity, and data governance practices.

Security Issue/Vulnerability: A weakness, flaw, or misconfiguration in hardware, software, or operational procedures that could be exploited by an attacker to compromise system integrity, confidentiality, or availability. Security vulnerabilities span a broad spectrum, ranging from critical flaws enabling complete remote system takeover to lower-severity weaknesses such as information disclosure or denial of service attacks. The criticality of any vulnerability must be assessed within the context of potential exploitation scenarios and operational requirements (see Figure 1)

Exploit: Code, technique, or methodology that leverages a vulnerability to cause unintended system behavior. Exploits may enable arbitrary command execution, authentication bypass, unauthorized data access, or other malicious activities. In sophisticated attack scenarios, multiple exploits may be chained together to achieve objectives that individual vulnerabilities could not accomplish in isolation.

Attribution and Threat Actors

Attribution in security research represents a critical analytical process for identifying the perpetrators of cyberattacks and understanding their capabilities, motivations, and operational patterns. This multifaceted discipline integrates technical analysis of attack indicators with political and intelligence assessments of actor capability and intent. Attribution analysis operates across multiple analytical tiers, from tactical examination of technical indicators to strategic profiling of threat actors, and proves essential for effective defense, accountability frameworks, and understanding adversary tactics, techniques, and procedures (TTPs).

Security researchers typically produce meticulous documentation demonstrating vulnerabilities through reproducible proof-of-concept implementations. While many researchers collaborate with manufacturers like DJI through coordinated disclosure processes, independent researchers frequently operate outside formal channels, particularly when examining systems with national security implications or when previous disclosure attempts have been met with legal threats rather than constructive engagement.

The Challenge of Threat Complexity

A critical challenge in vulnerability assessment involves recognizing that seemingly low-severity issues may be weaponized through unexpected attack paths. Initial exploitation may be achieved by an actor who then develops or shares techniques that transform theoretical vulnerabilities into practical threats. Consequently, this analysis includes security issues that may not appear immediately threatening, as the attack surface continues to evolve with researcher innovation and adversary capability development.

Of particular concern are sophisticated threat actors including organized criminal networks, independent hacker collectives, nation-state intelligence services, and their proxies. These actors possess the capability and motivation to exploit systems for espionage, sabotage, or other nefarious purposes. Their operations range from obvious, detectable intrusions to nearly invisible compromises designed for long-term persistence. Advanced threat actors frequently employ deception techniques, such as introducing multiple exploits designed to resemble routine security issues, hoping that defenders will overlook or misattribute these vulnerabilities during security reviews. Additionally, sophisticated actors may leverage such techniques to conceal malware deployment or establish plausible deniability to evade detection by security operations centers or law enforcement agencies.

The attribution landscape becomes further complicated by the potential involvement of diverse actor types, including external hackers, criminal syndicates, insider threats such as rogue employees, the manufacturer itself, or state-sponsored operatives. When confronting sophisticated adversaries with advanced operational security practices, analysts often can only identify the most probable actor and reconstruct the most likely scenario based on available evidence, recognizing the inherent limitations of attribution in complex cyber operations.

DJI’s Security Posture and Historical Context

Article content

Figure 2 All vulns from 2017 to 2025

Evolution of DJI’s Security Response

DJI has historically demonstrated difficulties in recognizing and appropriately responding to serious security flaws. Early in the company’s maturation, DJI adopted adversarial approaches toward independent security researchers, including harassment, legal threats, and attempts to suppress vulnerability disclosures, even when researchers followed responsible disclosure protocols. The company’s initial product generations exhibited numerous fundamental bugs representing explicit threats to privacy, security, and national security interests.

Analysis of the temporal distribution of security issues reveals evolving patterns in DJI’s security maturity. The chart ‘DJI Security Issues by Year (2017-2025)’ illustrates initial periods of severe vulnerabilities followed by apparent improvements, though punctuated by significant security incidents. The dramatic increase in disclosed vulnerabilities during certain periods prompted DJI to establish dedicated internal security teams and engage third-party security firms for systematic security assessments. These investments serve dual purposes: maintaining customer trust and mitigating serious vulnerabilities that skilled adversaries could exploit for system compromise, data exfiltration, or operational disruption.

Problematic Patterns in Vendor Response

Despite improvements in certain areas, DJI continues to exhibit concerning patterns in its security practices and communications. The company maintains a documented history of adversarial relationships with independent security researchers and third-party auditors, which itself represents a significant security concern. Organizations committed to robust security typically welcome external scrutiny and engage constructively with the security research community. DJI’s pattern of legal threats and researcher intimidation undermines confidence in the company’s security claims and suggests a priority on reputation management over genuine security improvement.

Further concerns arise from DJI’s tendency toward misleading or demonstrably incorrect statements regarding security matters. When questioned by regulatory authorities or investigative journalists, DJI’s responses have frequently been less than forthright. For detailed case studies of these problematic communications patterns, refer to Appendix B.

While DJI has made progress in clarifying developer processes and addressing certain disclosed vulnerabilities, the company continues to issue questionable statements that contradict available evidence(Appendix C). DJI’s 2025 Security White Paper claims comprehensive resolution of all vulnerabilities and asserts the absence of hidden data transmission pathways. However, independent security researchers have documented unresolved Common Vulnerabilities and Exposures (CVEs) and continued code opacity. Notably, the white paper omits discussion of the MIMO/GO4 dynamic code loading mechanisms that independent researchers have identified as ongoing concerns. Although many technology companies occasionally gloss over issues or misstate facts, DJI’s pattern of such behavior persists even when addressing critical security matters, distinguishing it from industry peers.

Partial Remediation and Disputed Vulnerabilities

A particularly troubling pattern involves DJI’s tendency toward partial issue resolution and selective dispute of reported vulnerabilities. The Nozomi Networks research on the Mavic 3 (2023-2024) identified multiple QuickTransfer and Wi-Fi vulnerabilities. While DJI patched some issues, at least two vulnerabilities (CVE-2023-6949 and CVE-2023-6950) remain disputed, with DJI asserting these do not constitute legitimate security flaws and declining to provide fixes.

The 2023 NDSS symposium paper ‘Drone Security and the Mysterious Case of DJI’s DroneID’ presented academic findings of multiple critical vulnerabilities, including arbitrary command execution capabilities, remote crash vectors, and DroneID tracking system reversals. These findings directly contradict DJI’s previous ‘trust us’ security narratives and illuminate serious historical flaws in the company’s security architecture.

Earlier application security issues documented by Synacktiv, GRIMM, and River Loop Security demonstrate a pattern where DJI’s public statements emphasize fixes and frame vulnerabilities favorably, while independent follow-up assessments sometimes identify continued risky mechanisms in subsequent software versions. The combination of architectural complexity, deliberate code obfuscation, and proprietary update mechanisms prevents external parties from confidently asserting either ‘all clean’ or ‘definitely malicious’ status—precisely the ambiguity that proves problematic for high-assurance operational contexts. This operational security posture is notably abnormal for a company that publicly requests security reviews while simultaneously disputing results from multiple vendors and commercial security research firms.

Independent Research Findings

Independent security researchers, including Kevin Finisterre, Synacktiv, GRIMM, River Loop Security, Nozomi Networks, and academic teams from the NDSS symposium, have repeatedly demonstrated that while DJI’s offline operational modes can prevent automatic data exfiltration, the broader Android and iOS application ecosystem and firmware update mechanisms remain heavily obfuscated. These systems support side-loaded or opaque updates and have historically contained serious vulnerabilities and data leakage pathways. Although DJI has remediated several disclosed issues, others remain disputed or only partially addressed. Critically, the fundamental system architecture and design philosophy limit independent verification capabilities. In practical terms, DJI systems can be operated securely only under strict network isolation protocols and rigorous version control procedures. The broader software ecosystem and vendor posture do not justify institutional trust in sensitive or national security operational contexts without additional defensive measures.

The Primary Record System

DJI Flight Record Infrastructure (2015-2018)

Internal documentation recovered from legacy DJI developer materials provides insight into the company’s early flight record infrastructure, which operated on two central server endpoints:

• Production environment: https://mydjiflight.dji.com

• Test/Staging environment: http://flight-staging.aasky.net:9090

These servers accepted uploads of compressed flight logs through a REST API architecture. Flight data files were transmitted in compressed format (.txt files compressed to .zip) via API calls structured as

/flight/zipupload?token=&filename=.

Successful uploads received JSON acknowledgment with code 0, while additional API endpoints provided flight summaries (/flight/overview) and user statistical information (/flight/query/userinfo).

Each API response payload included sensitive user identity fields such as email addresses, aircraft serial numbers (SN), GPS coordinate data, and cumulative flight metrics including total flight time, distance traveled, and maximum altitude achieved. Associated server logs reference Elasticsearch indices (fly_records-*, activation-*) and a secondary analytics node at portal.aasky.net utilized for supervisory analytics and audit trail synchronization.

Collectively, these architectural components indicate that DJI maintained a unified telemetry collection infrastructure linking user account identities, aircraft identifiers, and flight trajectory data in near real-time. While this design enabled robust fleet analytics and operational monitoring capabilities, it simultaneously created a centralized aggregation point for sensitive flight operations and operator identity data under infrastructure controlled by a Chinese entity, raising significant concerns regarding data sovereignty, operator privacy, and potential intelligence exploitation.

Vulnerability Timeline and Data Analysis

Historical Vulnerability Context (2016-2017)

To provide a historical perspective on the severity and scope of early DJI security issues, examination of the 2016-2017 period reveals clear and serious vulnerabilities. The accompanying figure illustrates security issue distribution by severity category and provides a rough quantitative assessment of vulnerability prevalence during this formative period.

Comprehensive Vulnerability Dataset (2017-2025)

Figure Description: The stacked bar chart presents a complete vulnerability dataset encompassing all severity levels from policy advisories to critical exploits. This visualization shows the yearly distribution of publicly disclosed DJI security vulnerabilities categorized by standard severity classifications: Critical (red), High (orange), Medium (yellow), and Low (green). Data sources include the CVE Database, NDSS academic research, Nozomi Networks security research, Synacktiv technical reports, GRIMM security assessments, HackerOne vulnerability disclosures, and government policy advisories.

Operational Security Guidance and Best Practices

For organizations and individuals who determine that DJI platforms are appropriate for their operational context despite the security concerns outlined above, the following best practices represent minimum security baselines. These recommendations assume deployment in security-conscious environments and may require additional hardening for high-sensitivity operations.

1. Enable and Verify Local Data Mode

• Activate Local Data Mode (LDM) or Government Edition (GE) mode on all aircraft and control devices

• Conduct network traffic analysis to verify zero egress during flight operations (monitor Wi-Fi and cellular interfaces)

• Implement version locking protocols once validated; prohibit application or firmware updates without comprehensive re-testing

2. Control Removable Media

• Remove SD cards physically and transfer footage through manual processes only

• Utilize trusted, encrypted computer systems or storage devices for data transfer operations

• Never synchronize SD card content through DJI cloud services unless data has been sanitized according to organizational data handling protocols

3. Avoid DJI Cloud Infrastructure

• Prohibit upload of flight logs, imagery, or video content to DJI servers by default

• If logs must be shared for technical troubleshooting, export offline first and redact sensitive operational data

• Treat DJI cloud infrastructure as untrusted storage regardless of stated security controls

4. Implement Software Update Controls

• Restrict DJI application installations to official sources only (Apple App Store or Google Play)

• Block third-party SDKs, analytics modules, and side-loaded updates

• When updates are operationally required, conduct comprehensive re-testing to confirm LDM continues preventing all network egress

5. Continuous Audit and Verification

• Implement periodic network traffic monitoring during flight operations to confirm zero-egress posture

• Following each firmware or application modification, repeat complete validation procedures

• Maintain known-good baseline builds with rollback capability if updates introduce security regressions

6. Operator Security Discipline

• Aircraft security requires continuous ecosystem scrutiny

• Treat every data transfer event (SD card, USB, cloud synchronization, Wi-Fi) as a security-relevant operation requiring logging

• Maintain detailed operational logs documenting when and how data was transferred or accessed

Operational Summary: DJI aircraft operating in Local Data Mode or Government Edition with validated zero-egress have demonstrated secure operation in controlled testing environments. However, this security posture requires strict adherence to data handling discipline, operator-controlled media management, complete avoidance of cloud services, and treating every software update or data upload event with appropriate operational security suspicion. Deviations from these protocols may compromise the security baseline.

Conclusion and Risk Assessment

This comprehensive analysis demonstrates that DJI drone platforms present a complex security landscape characterized by historical vulnerabilities, ongoing architectural concerns, and patterns of problematic vendor behavior. While technical controls such as Local Data Mode can mitigate certain risks when properly implemented, organizations must carefully evaluate whether DJI platforms align with their security requirements and risk tolerance.

For non-sensitive commercial applications with proper security controls, DJI platforms may represent acceptable risk. However, for government operations, critical infrastructure protection, law enforcement, military applications, or any context where adversary exploitation could produce significant consequences, decision-makers should carefully weigh the documented security concerns against operational requirements. Alternative platforms with more transparent architectures, stronger vendor security postures, and clearer supply chain provenance may warrant consideration for high-sensitivity operational contexts.

The security maturity trajectory illustrated in the DJI Security Professionalization Timeline suggests that while the company has made progress in certain areas, fundamental concerns regarding transparency, vendor trustworthiness, and architectural verifiability persist. Organizations deploying DJI platforms must implement robust compensating controls, maintain continuous monitoring, and remain vigilant regarding emerging vulnerabilities and threat intelligence related to these widely deployed systems.

Appendix A: Major Security Issues 2017-2025

Article content