Q&A Forums

Forum Navigation
You need to log in to create posts and topics.

Online Reverse-Engineering of IoT Firmware?

As part of my master's thesis, I am analyzing a large number of firmware images in an automated way to uncover weaknesses in the software. These firmware images are operating systems for IoT devices from various manufacturers and device classes, such as Routers, surveillance cameras or WLAN access points. During my analysis, the firmware images are automatically unpacked and the software version of the individual components is recorded. The aim is to investigate whether outdated standard components are used in the software. In addition, it is examined whether the individual components have protective mechanisms that make it difficult to exploit a vulnerability (so-called exploit mitigations).

I download the firmware images from the public websites of the device manufacturers. In addition, I would like to publish a website via which an Internet user can upload any firmware image that is then analyzed and then he receives the analysis results for this firmware.

My aim is to get the broadest possible picture of the IT security level of common IoT devices, regardless of the manufacturer. Since unpacking the firmware could be viewed as reverse engineering, I am unsure about the legal situation.

Apparently there has been a new law since 2019 that explicitly allows unpacking and analyzing software, here is an excerpt from a blog post:
"Furthermore, companies must note that the GeschGehG - in contrast to the old legal situation (§ 17 Paragraph 2 No. 1 UWG a.F.) - expressly permits reverse engineering. Accordingly, the trade secret can be lawfully obtained by "observing, examining, dismantling or testing a product or item". Although this only applies if the product has been made publicly available or if the product is lawfully owned, companies must also try to make protection as comprehensive as possible. [...] It is more problematic if a product has been made publicly available; in this case, the law at least does not explicitly provide for the possibility of excluding reverse engineering. In any case, this is not possible within the framework of the general terms and conditions, since this would deviate from the legal model so that the clauses would be ineffective."

Additional question: On the website of a Chinese manufacturer of surveillance cameras, the firmware can only be downloaded if the user has previously consented not to reverse engineer or decompile the software. If I understand the paragraph above correctly, this clause is ineffective, right?

 

First, no lawyer in this world will ever give you a 100% freedom-to-operate guarantee for this issue. The fact that some reverse-engineering is allowed by law in some countries does not mean that your ... [read more]