Subscriber Discussion

Can IOT Firmware Development Be Taken Open Source? What About An Early-Adopters' Program?

RS
Robert Shih
Oct 03, 2016
Independent

I was thinking that something like Asus-Merlin, DDWRT, or OpenWRT can be implemented for IOT devices like IP Cameras, NVRs, and DVRs. At this point, open source or a semi-limited community driven program might be faster in evolution with the right minds behind it. And depending on the hardware company that an open source platform be based off of, I also like the idea of having community sourced features be backported just like Asus did with their firmware (with the community's or developer's permission, of course).

While I understand the risks involved with opening up the source to more than just internal development, certain design and security measures can ensure that access to devices implementing this firmware have no remotely accessible backdoors. I really like the idea of port knocking as proposed by Brian Karas and I would like to see if strongSwan can be an additional layer of security. Essentially, features like these may be best tested by independent developers and hackers out in the field before being brought in a refined manner to the industry.

Heck, I'd love to work with you all to develop a program like Microsoft TechNet/MSDN for Dahua that would combine an early-adopters' program for new hardware and firmware so that a company can actually evolve with the needs of the people who know these products best. Of course, I would have to pitch this to the relevant people (wish me luck if it comes to that), but I want to hear the thoughts of the community first.

My ideas involve:

  • Potential membership fees to support this effort (or other requirements involving purchase volume, etc. to ensure dedication to the effort)
  • Additional member exclusive warranty clauses covering experimental use that would allow for members using new devices to feel good about trying new products and finding new applications for Dahua products
  • Intellectual property protection sharing credit within the community for their contributions
  • Standardized NDAs to protect cybersecurity concerns, corporate espionage, and new product release announcements
  • Direct access to the dev team and our own communication channel through Slack (something else I'll probably have to pitch to them), fully paid for
  • Our own github with bleedover into their own development stack (also would love to get Dahua onto github altogether)
  • Updated SDKs and documentation to allow for better community driven development
  • Exclusive pricing for Dahua products through any of their authorized distribution channels (no requirement to use branded equipment)
  • Recommendation for beta products to be released unbranded to avoid revealing what Dahua hasn't officially released yet
  • Maybe Dahua DieHards (abbreviated as DHDH) could be a fun name for the club?

Overall, can this work? Would integrators implementing Dahua on a regular basis be interested in joining and contributing? Could this truly drive Dahua and the whole security industry forward? Will Dahua even listen? I'm ready to try if any of you are.

(1)
Avatar
Jon Dillabaugh
Oct 03, 2016
Pro Focus LLC

I love the idea of moving the industry forward. Not being a developer, I'm unsure what most of the initiatives mean here, but if the goal of moving to a more secure, quicker to resolve issues platform is the key, I'm all for it. I don't know the extent that an integrator like myself can contribute. I am willing to assist in testing products in the field. We have a diverse set of clients and could easily test for a given scenario.

U
Undisclosed #1
Oct 03, 2016
IPVMU Certified

How do we get Dahua to open source their code, again?

RS
Robert Shih
Oct 03, 2016
Independent

Let me worry about that. Suffice to say, it'll involve a non-monetary bribe involving me and a fancy microphone. Gives a whole new meaning to singing for my supper. The more interest there is though, the higher possibility this comes to fruition.

U
Undisclosed #1
Oct 03, 2016
IPVMU Certified

I think if you really wanted to take the time to decompile the binaries you would find plenty of embedded open source, which could be leveraged in your second act, the dance.

(1)
RS
Robert Shih
Oct 03, 2016
Independent

Actually, I have a Blue Yeti Pro microphone and I'm deciding on either Marc Cohn's "Walking in Memphis", Queen's "Fat Bottomed Girls", or Axl Rose's "This I Love" (off of the Chinese Democracy album by Guns 'N Roses). That last one feels like seppuku on my voice box.

U
Undisclosed #1
Oct 03, 2016
IPVMU Certified

Nice choice.

Myself, I would use my Telnetfunken 2.5.1 running thru my SSL pre, singing Journey's Open ARM...

LB
Lee Brown
Oct 03, 2016

It is truly inspiring to see this kind of post.

I really believe that continued chronic cyber-security problems will do the heavy lifting. The "Security through Obscurity" crowd will need to adapt. It should be obvious by now that trusting audit free, closed binaries on customers networks is becoming extremely inconsistent with the mission of providing security. IoT is rapidly becoming the Internet of Bot Nets. The beauty of transparent code is that when vulnerabilities are discovered you can create a patch despite possible disinterest from the developer or community. Unfortunately with IoT, as it exist today, we have no way of understanding what is occurring over the pay-wall until we get the cyber-security headline.

Having a freely accessible, open source, repository of community contributed and maintained firmware images for Dahua or any other popular brand will probably receive very slow buy in unless combined with corporate sponsors and projects like node-Red and OpenHab. The Asus RT-AC88U router's DD-WRT compatibility likely means little to the average box store customer. The same is likely true for many integrators though this could mean having a greater number of deployment options as well as a consistent interface across various models even across different brands.

I could not find Brian's post on "Port knocking" so the following may be redundant.

Seems like "Fwknop", and/or its SPA(Single Packet Authorization) methods, could be implemented in firmware for IP based surveillance devices. Such an auth scheme could possibly piggyback on Onvif and make exploitable firmware(s) less discoverable to network scanners. Their github page mrash/fwknop describes some very practical concepts. The code should be easy to integrate with all the other GPLv2 and OpenCV code shamelessly residing in everyone’s proprietary camera firmware and/or VMS.

(2)
(1)
U
Undisclosed #1
Oct 04, 2016
IPVMU Certified
(1)
RS
Robert Shih
Oct 05, 2016
Independent

Well, ideas for the actual firmware itself are nice, but if a manufacturer's interested in letting us have an open source party and new hardware previews, I need ideas that'll make this appeal to independent developers, integrators, and the manufacturers themselves.

UE
Undisclosed End User #2
Mar 10, 2017

> The "Security through Obscurity"

This is exactly the problem, in Open Source you rarely find anything "Juicy" since the source code are reviewed by so many different people all the time, but in the "Closed" ones - there you will find security issues, and a lot of them.

 

(1)
RS
Robert Shih
Mar 10, 2017
Independent

So, I think it's wise to say that even after Dahua fixes their firmware, it'll need to re-evaluate its customer relations and its approach to the community. Shameless topic bump!

UE
Undisclosed End User #2
Mar 10, 2017

 

Why not go for Linux Foundation?

<quote>

It's not an embedded Linux distribution – it creates a custom one for you

The Yocto Project is an open source collaboration project that provides
templates, tools and methods to help you create custom Linux-based systems
for embedded products regardless of the hardware architecture.

https://www.yoctoproject.org/

</quote>

 

New discussion

Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.

Newest discussions