EULAs Prohibit Decompiling Source Code - Impact on Cybersecurity Research Examined
Will you get sued for finding a vulnerability? In their EULAs, manufacturers widely prohibit decompiling source, a core step in finding most vulnerabilities.
In this report, IPVM examines:
- Prohibitions against reverse engineering from Axis, Hikvision, Dahua, Avigilon, Cisco, Huawei, Samsung, Google, and Apple
- Prohibition to protect IP
- Dahua's special 'confidentiality restrictions'
- Security researcher sued by Cisco and ISS for decompiling
- Court decisions on prohibition's enforceability
- Legal protections for security researchers
- Comments from Dahua, Cisco, Axis, and Motorola Solutions
Executive *******
***** ***** ************ ******* ******* *********** are ****** ** *****, **** *** historically *** ******** ******* ************* ***********. Cases ******* ******* *********** *** ******* engineering ***** ********** ****-***** ******** *** rare. ** ** ********* ********, ********** given *** ******** ************ ********, ** risk *******.
***** *** ***** ******* ** **** questioning ***** ***** *****, *********** ************* researchers ** **** **** **** ** findings. ******** *** **** ******** ** comment.
*******, ***** *** ** ******** "*************** restriction" ******* ********** "*** *********** ** the ********". ***** ******** ** ******* on **** ** ****.
Clauses *********** *********** **** ******
******* *********** *********** **** *** ****** in ***-**** ******* ********** (****). *** clauses *** ******* *********, *********** ***** from "******* ***********, ***********, ** *************" the ******** ****.
******** ** ***** ******* *** ***** language *** ********* ***** **** ****-***** security *** ********** *********, **** *** relevant ******** **********.
********:
****** ** ********* ********** ** *** Agreement *** *** *** (*** *** may *** ***** ****** **** **): 4)reverse ********, *********, *********** ** ********* ******* ** ****** ****** ** *** ****** **** ** *** ********, or any part thereof.
****************** ******* *********:
****** ** ********* *** *** ** this *** ** ** ********* ** any ********** ***, *** *****: *)Not ** ***********, *********, ******* *********** ** ****** ********** ***** ***** ** *** ***** ** *** **** ** *** *********, or attempt to do any such activities, except and only to the extent that such activity is expressly permitted by Hikvision or applicable law notwithstanding this limitation.
************* ******* *********:
************ ** ******* ***********, ********* *** disassemble.You *** *** ******* ********, ********* ** *********** *** ********.
************ *** ******** ******* ****** ****** 3:
*. ******* ***********, *************, ***********.You *** *** ******* ********, *********, ** *********** *** ********, *** *** ******* ** ** ** ***** ****** ** *** ********* *********** ** **** *********, except and only to the extent that such activity is expressly permitted by applicable law.
******** **** ******* *********:
****** ********* ****** ** *****, *** may *** ...(d) ******* ********, *********, *******, ***********, ******, ** **** ********** ***** ** *** ***** **********.
**********:
****** ** ********* ********* *********,you ***** ***, *** ***** *** ***** ****** ** ****, ******* ********, *********, *********** ** ****** *********** ** *** ********. In addition, you shall not, nor allow others to, or attempt to export the source code of the Software, or decode or modify the Software or any part of the Software or the services that it provides.
***********:
****** ** *** ****** **** * restriction ** ************* ***** ***** ***,you *** *** ******* ********, *********, ** *********** *** ******** *******. The SOFTWARE PRODUCT is licensed as a single product, and its component parts may not be separated for use on more than one computer. Except to the extent such a restriction is unenforceable under local law, you may not modify, amend, or create derivative works of the SOFTWARE PRODUCT.
*********** ** *******:
You *** *** (*** *** *** *** ****** ****** **** **) ****, ******, ****** * ********** **** **, ******* ********, ********* ** ********* ******* ** ******* *** ****** **** ** *** ******** or any part thereof, unless this is expressly permitted or required by law, or unless you have been specifically told that you may do so by Google, in writing.
************* *********** ****:
You *** *** **** (****** ** ********* ********* ** **** ******* *** *** ***** *****), *********, *******-********, ***********, ******* ** ****** *** ****** **** **, ******, ** ****** ********** ***** ** *** ******** ***********, any updates, or any part thereof (except as and only to the extent that any foregoing restriction is prohibited by applicable law or to the extent as may be permitted by the licensing terms governing use of any open-sourced components included with the Licensed Application).
Dahua '*************** ***********'
**** *****'* ******* ********* **** ******** a "*************** ***********" *********** ********** *********** of *** ******** ** *** ***** party ******* *****'* ******* *******:
*************** ***********: *** *** *** ******** the *********** ** *** ********, ** any ***** **********, **** *******, ********* secrets ** *** **** ************ *********** derived **** *** ******** ** *** third ***** ******* *** ******* ******* of *******.
Decompiling *********** ***** ** ******* **
***** ******* ********* ***** ** ** effort ** ******** ***** **** *********** discovering ***** ******* *** ******* ** by *********** ****. ******** ******* *********** cases **** ****** **** ****** **** the ********* ** **, ****** **** decompiling **** *** **** ** *********** bugs *** ***************. *** *******, ****** *********** *. ********, * ***** **** ********* (********) was **** *** ******* *********** *** Sega ******* ** **** ********** *****.
Cases ******* ************* *********** ****
***** ******* ************* *********** *** ********* EULAs *** ****, ******* *** **** that ***** *********** *** *********** ****** code ***** ***** ** **** ** justification *** ***** ******. ******, **** could **** **** *** **** *** that *** ** ***** ***.
IBM ******** ********** **** *** ***********
** ****, ** *** ******** **********, Mike ****, *** **** ** ***** and *** ******** ******** ********* (***) for ****** * ************ ** * vulnerability ** ***** ******* ***** ** discovered ******* ******* ***********. ** *** time **** **** *** ************ ** Black ***, ***** *** ******* ***** the *******, *** *** ******,******** *******,***** **** *** "****** *********"**** ***** *** *** **** ******:
**** **** **** ***** *** ***** the ******* ** ***** *** ******* distributing *** ********** ****, *** ** was ****** ********* **** *** ******* did *** ** ****** ****** ** persuade *** ********* ** ******* ********, or ** ******* ** **** *** upgrading *** *********.
*******, ***** *** ***'* **** ****** against **** **** ********* *** ***** secret *****. *******, *** ** *** surveillance/cybersecurity ******* ** *** ****, ******:
* *** ****** **** ******* ** was ******** **** **** *** **** wrong. ** ******** ** ** ***** things. *****, *** ***claiming ********t in the presentation that Mike had given on Wednesday morning. Second, Cisco was claiming ********* ** *** ********** ******* **** that Mike obtained from the Cisco binaries and had included in his slides. And finally, Cisco was claiming ***** ****** in the information Mike had obtained by decompiling and studying Cisco source code. The complaint also alleged that Mike had breached his nondisclosure agreement with ISS.
******* **** * *********** ******* ********* the **** **** *** ****** *** the ***** ****** ********* ***** *** accused **** **:
*** ** **** ***** ******** *** that ********* ** ** *** **** License ********* ** *** * ***** secret *********. "******** *****" ******** * breach ** * **** ** ******** secrecy. *** *** **** *** *** impose * **** ** ******** *******. It *** ****** * ******* *** to *******-********. * ********* ** **** promise ** * ********* ** ********, but *** ** ******** ***** ** discovering * ***** ******.
*** **** *** ********** ******* ******* the ******* ****** ** *****. **** and ***** *** ****** "*** ** disseminate *** ************, *** ***** ** the ********** **** *** *******, *** Lynn ****** *** ** *********** *** of *** ***** ** ****** ** while ** *** ** ***."
Circuit ********* ****** ** ******* **** ******* ***********
***** ***** *** **** ****** ********* about ******* ******* *********** ******* *********** clauses *** ***********, *** ********* ****** have ********* ******** ** ******* ** not ** ******* ***** *******. ********, all ** ***** ***** ******** *********** vs ************* ********. *********, ** ** unclear *** ****** ***** **** ** a ******** ********** ******** *** **** while ********** ****-***** ********.
*** *******, *** ***** ******* (*** a ******** ****) ***** *** ******* engineering ****** *** *********** ** ******** v. *****. *******, *** ***** ******* (including **********) *** ************ ******** ** enforce ***********-**** ******* **********. *** ************** ***** ******* *** *********** *** "waived ***** **** *** ****** [** reverse ********] ******* *** ****":
*** ****** ******* **** ****these ****-****** *****-******* ******** **** *********** ********* and that the *********** ******** ******* ***** ** ********'* ****, ********* *** ******* ** ******* ***********. Even though reverse engineering is a fair use under federal copyright law, the programmers waived ***** **** *** ****** ******* *** ****. [emphasis added]
*******,******** **** *** ****** ******, * ***** **** ** *** resource, ***** **** *** **** *** not **** **** *********** ** * different *******:
Other ********, ******* *** ***** *******, **** ******** ** ******* ******* ******-**** ******* **********, suggesting that Blizzard’s choice in selecting the district court in Missouri rather than its home state of California was a tactical decision to keep the case out of the Ninth Circuit on appeal. [emphasis added]
******, ******** *** ******/*************'* ***** **** ***********/******-**** ********** "*** less ****** ** ** ******** ** valid ********* **** ****":
** *******, *********** “**** ** ** leave **” ********** **** ****/***/**** *** less ****** ** ** ******** ** valid ********* **** ****, ********* **********, and *** ****. *** ****** ***** of ********* *** ******* ********, ***** relates ** *** **** **** **** are **** ********** (** *********) *** deliberately ******* ****.
Protections *** ******** *********** ***** ******* ********** ********* *** (****)
*****, ******** *********** **** **** ************ protected ** **** ** **** *** conducting "****-***** ******** ********", ** ******* from* ******** ******** *********** *** ******** ********** ********* *** (DMCA) ** ****. *** **** ** a ******* *** **** *** ******* as ** ****-****** *******, *** ** also **** ** ********* *** *********** to ****** *********** ********. *** ***********:
**** *** ****** ** * ***, the ********* ** ******** *** ********** security *********** *** *** ****** ** good ***** ** ******* ********** ******** on ******** ******* ** **** ** the ******** **** *** ******* ***** laws **** ** *** ******** ***** and ***** *** (****).
********** ********** ********* *** (****)***** ** ******* ** ********** ******** that ******* ****** ** *********** ********. The ****** ** **** ***** *** DMCA, *********** ***’* *********** *** ******** security *************** ** ***** ** ******** reverse *********** ** ************* ******** **** as ********** ****. ********** **** **** a ***** ****** *** **** ******* conduct ******* **** ** ***** ********.
*******, *********** **** **** * ****** "research ***********" ** ** ********* ***** the *********:
***** *** ** ***** ***** **** requirements *********** **** **** **** ******* up * ******** *********** ** ***** to **** ***** *** *********. *****, the ******** *******, ** *** ******* on ***** ***** ******** ***, **** be “******** ********.” ******, ****** ********, *** ****** and ******** ******* ****** ******* “****** *** *** ******* ** ****-***** security ********.” **** *****, ** ****, **** the ******** “**** ** ********* ** * ********** setting ******** ** ***** **** ** individuals ** *** ******.” *****, *** ******** **** *** begin ****** *****,******* **, ****.
"****-***** ******** ********" ** "******* *** in * ********** *********** ******** ** avoid *** **** ** *********** ** the ******" *** "*** *********** ******* from *** ******** ** **** ********* to ******* *** ******** ** ****** of *** ***** ** ******* ** machines ** ***** *** ******** ******* operates." *******, *** ********* **** *********** disclosure ** "*** ** *** ******* to ** ********** ** *********** * person's *********** *** *** ******** ******* exemption." *******, *** ********* *** *** provide ******** ********** *********, ****** "******** seem ******* ******* ** **** [******** disclosure *********] *****."
*** *** **** ** ******* ** "good-faith ********":
**, ** *** **** *** ** the ************, **** ********* ********* ****** you ** **** * ********* ******* to ****** *** **** **** ** attacker ***** ***** **** ***** ** combust ** ******** ******* **** ******* pastry *****.But, ** ******, ** **** *** ********* ****** ** ***** * *******, **** **** * ********’* *******, ** *** ******** ** **** ** ***** ********* ** ********* *********. [emphasis added]
Dahua *** ***** **** **** **** **** ***********
***** **** *** ******** ******** ** comment, ***** *** ***** ********* ****** they "********* *********** *** ******** ********* risks... ** ******* **" *** "******* engagement **** ***********."
*****'* *******:
************** ** **** ************ **** *** security ******** ********* *** ** ******* engagement **** *********** ********** *** *********, fixing, *** *********** ********** ** ******** vulnerabilities.
***** *******:
***** *** *** ******** ***. ********** with ******** **** ********* ********* *** identification *** **********, ***** ********** *** appreciates ************* *********** *** ******** ********* risks *** *************** ** ********, ** contact ** *** ***** ******** ******** with *** ******** ************.
*******, ***** *** *** ******* ***** the *************** ****** *** ******* ******* Dahua ******** ***** ******* ****.
**** ************ ******** ** ******* "******* of ******** ********":
******* ** ******** ********, ** ***’* wish ** ******* ** *** ********** when ******** *********** ******** ** ** cybersecurity ******* *******.
**********
******** ******* *********** ** ******** ********** in *****, ************* *********** ********* **** not ** **** *** ********* *** clause. *******, *********** ***** **** ** act ** "****-*****" *** *********** ******** their ********. ****'* ******** ****** *** be *********** ** ***** ******, *** researchers ****** ******* ** ******** ** they *** ********* ***** * ******** circumstance.
* ** ***** ** ***** ***** too **** **** *** * ***** adding **** ************ ** *** ******* about ****** *** ****** ******** ***** be ******* *** ***** ******* **** may *** ** ******** 😊
****** *** **** ********, *****. *** those *** ********, * *** ****** program ******* ***** ** *********** *** report **** ** *** *******, ********** those **** *** **** ** ******** vulnerabilities.
***** *** ****** ******** *** ****** in **** *********, **** *** *** as ****** ***** ***** ************ *************. For *******,********************* **** ******* *** ****** ******** for *****, ** **** **** ***** tech ********* ****** ****.
*******, ** *** ************* ** ********* in *** ******, *********, *****, *** Axis *** ** *** **** *** bounty ********, **** ************** *********** *** ******* "**** *** ******* any *** ****** ********." ******** ********* operates * "*** ********** *******" *** **** *********** *** ** eligible *** * ******. **** ** not ********* ** *** ******, *** it ** *** ************ ******* ********** * *** ****** *******.
******* ***'* **** ***** *****. **'* in * *******'* **** ******** ** treat ************* *********** ****, ******* **'* easy ** **** *************** ** ******* or ******* ***********. * *** ** hacker/researchers **** ****** ****** ***************, ** when * ******* *****'* ***** **** well, **'* **** *** **** ** flip *** ****** *** ***** ******* to ****** *** ********** **** ******.