SavvyTech Security | 10/03/16 03:41pm
I was thinking that something like Asus-Merlin, DDWRT, or OpenWRT can be implemented for IOT devices like IP Cameras, NVRs, and DVRs. At this point, open source or a semi-limited community driven program might be faster in evolution with the right minds behind it. And depending on the hardware company that an open source platform be based off of, I also like the idea of having community sourced features be backported just like Asus did with their firmware (with the community's or developer's permission, of course).
While I understand the risks involved with opening up the source to more than just internal development, certain design and security measures can ensure that access to devices implementing this firmware have no remotely accessible backdoors. I really like the idea of port knocking as proposed by Brian Karas and I would like to see if strongSwan can be an additional layer of security. Essentially, features like these may be best tested by independent developers and hackers out in the field before being brought in a refined manner to the industry.
Heck, I'd love to work with you all to develop a program like Microsoft TechNet/MSDN for Dahua that would combine an early-adopters' program for new hardware and firmware so that a company can actually evolve with the needs of the people who know these products best. Of course, I would have to pitch this to the relevant people (wish me luck if it comes to that), but I want to hear the thoughts of the community first.
My ideas involve:
- Potential membership fees to support this effort (or other requirements involving purchase volume, etc. to ensure dedication to the effort)
- Additional member exclusive warranty clauses covering experimental use that would allow for members using new devices to feel good about trying new products and finding new applications for Dahua products
- Intellectual property protection sharing credit within the community for their contributions
- Standardized NDAs to protect cybersecurity concerns, corporate espionage, and new product release announcements
- Direct access to the dev team and our own communication channel through Slack (something else I'll probably have to pitch to them), fully paid for
- Our own github with bleedover into their own development stack (also would love to get Dahua onto github altogether)
- Updated SDKs and documentation to allow for better community driven development
- Exclusive pricing for Dahua products through any of their authorized distribution channels (no requirement to use branded equipment)
- Recommendation for beta products to be released unbranded to avoid revealing what Dahua hasn't officially released yet
- Maybe Dahua DieHards (abbreviated as DHDH) could be a fun name for the club?
Overall, can this work? Would integrators implementing Dahua on a regular basis be interested in joining and contributing? Could this truly drive Dahua and the whole security industry forward? Will Dahua even listen? I'm ready to try if any of you are.