Should Dahua And Hikvision Open Source Their Camera Firmware?

JH
John Honovich
Mar 13, 2017
IPVM

From member in the Hikvision Firmware Decrypted comments:

Here's an interesting thought. I'm not sure I agree with my thought yet, but it's worth a discussion... how about Hikvision just open sources their camera firmware? They make money on hardware sales and if they open source it, they would benefit from the community contributing to their code (or at the very least scrutinizing the security vulnerabilities). There may be a few pieces that they'd want to keep to themselves, like any advanced encoding features, or perhaps some of the analytics, but they could also benefit from the transparency of allowing others to see the source.

So what do you think?

Vote below / comment inside:

Avatar
Brian Karas
Mar 13, 2017
IPVM

I voted no. Managing roadmaps, new features, and QA would be difficult (IMO) using an open-source development model. I don't think Hikvision suffers from a lack of engineering resources, a multi-billion dollar manufacturer should not need to rely on open-source developers to build a good product.

What I think they should do is start a real bug-bounty program though. No manufacturer is doing this, and I think there is a need for it.  Start at a number that encourages people to find and report bugs/security issues, maybe $1,000 per bug to start. It would likely be cheaper for them to just pay people who find issues, and manage the information flow, than to be in reactionary mode.

Doing this would help dispel concerns around backdoors, and signal that they are serious about finding and fixing ALL issues. It would also hopefully encourage other manufacturers to do the same thing.

In order to get the most out of this, they might need to release some (or all) of the firmware code, but more for purposes of analysis than to ask for open source code check-ins.

(5)
(1)
AT
Andrew Tierney
Mar 14, 2017

You can open source a product and keep all development in house. Open source doesn't mean random developers on the internet all collaborating.

(1)
RS
Robert Shih
Mar 13, 2017
Independent

I've been calling for some form of this since my very first topic on IPVM. It doesn't need be as their official code stack, but it can be part of an enthusiast's branch or something.

(1)
EP
Eddie Perry
Mar 14, 2017

I dont think the IP camera industry is run in a way that open source can be a viable option.

for one most of the hardware is proprietary or OEM,  and designed to do one or two specific things: send/record video or to function as an alarm in some fashion. It is no the same as buying a PC or PC hardware then deciding whether you want Linux or Windows on it, and trying to get the most out of software updates to get the absolute maximum potential out of your PC hardware.

The security Camera industry sells solutions, Proprietary brand solutions. they dont focus on selling the best imager chips or SDRAM, or even processor and encoding chips.  

you dont build a security camera to your hardware liking and then upload an OS to see how much you can get out of it. you buy a Preset, Preloaded, Proprietary camera for an approved proprietary recording solution.

Now unless the model changes I dont see anything changing from how it is now 

(1)
(1)
RS
Robert Shih
Mar 14, 2017
Independent

Except one company in the industry can easily change the model if they so choose. Putting the power in the installer's hands is an advancement in an of itself.

AT
Andrew Tierney
Mar 14, 2017

I don't understand why any of these are barriers to the product being open source.

 

EP
Eddie Perry
Mar 14, 2017

Open Source

denoting software for which the original source code is made freely available and may be redistributed and modified.

 

Now look at the security industry and how it is run now. You think Avigilon is going to Open source their analytic's and other software that they sue every one else to use?

You think the Chicoms are going to let you engineer software that they cant control without a Government approval ?

You think all the VMS platforms that reap their income on yearly license fees are going to give that up that power for free?

It is in most cases a single function software: get the best quality images/video to a medium for later retrieval in case something happens. You are doing work on the hardware for used for video surveillance, you cannot game on the hardware for video surveillance, You can not check your twitter on a surveillance system. 

There is also not enough Hardware diversity on the camera end for open source to be feasible. they are all made by the same handful of manufacturers for a whole host of name brand and knock off companies across the world.

 Besides if you really wan to roll out own you can buy your Dev kits:

http://www.latticesemi.com/hdr60

https://www.ambarella.com/products/security-ip-cameras

https://www.leopardimaging.com/Thermal_IP_Camera_Dev_Ki.html

These companies regardless of what you think of them are paying for Development on these cameras, they have been paying on them for a while. When Dev Kits are as affordable and plentiful as Raspberry Pi kits (~$100) then you may see some open source Development come though otherwise I would dare say it will be same old same old till the Chicom's force all the other Manufacturers out of business.

Then you will have a whole new animal to deal with.

 

(2)
(1)
Avatar
Campbell Chang
Mar 15, 2017

Why only Hikua?

Why not every other manufacturer under the sun?

(1)
RS
Robert Shih
Mar 15, 2017
Independent

Because western programmers are free thinking and efficient as opposed to being chained up drones that go through miles of red tape just to make simple commits to fix broken code.

 

Edit: And I know this since my younger days playing free-to-play mass produced Asian (mostly Korean) MMOs. Code commits are an absolute pain for Asian companies and most of them are on a monolithic permissions structure steeped in SVN. Dahua is definitely one of these archetypes and has yet to move to Git and they consider anything outside of this structure a "cybersecurity risk". Funny how that hasn't stopped their problems.

(1)
AH
Andrew Hogendijk
Mar 20, 2017

Open Source for embedded devices such as cameras and NVR's can be broken (and probably should be) into at least three separate components:

- The underlying operating system (usually Linux based)

- The hardware drivers (ie/ the code that controls the chips)

- The web interface and network components

This would allow for the baseline of any component to be openly 'studied' and penetration tested. The result would be a more secure embedded infrastructure for a manufacturer to work from and a vastly improved trust model.

The proprietary features of a device can be added on top of the baseline components, thus preserving the intellectual property - they would remain closed source. This is similar to how the Rapsberry Pi is currently operating with its Broadcom chip. Effectively a binary bundle is provided (ie/ compiled code) and the source code for the bundle is never released. This hybrid approach appears to be working well.

I am very much in favour of making the connected devices as secure as possible. Security by obscurity cannot ever be a trusted model in an IoT world. The devices need to be able to stand up to all scrutiny. Even then vulnerabilities will be found, as is the case with every operating system, but at least the opportunity exists to rectify it quickly and understand it clearly for what it is.

Just my 2c

Andrew

(2)
(1)
Avatar
David McNeill
Mar 20, 2017

With benefits for both manufacturer and integrator.

Base platform issues & preferences could be resolved by integrator without requiring new firmware.

Much better scripting, logging, integration and remote management would be possible.

Manufacturer's wierdo deficiencies in their web interfaces could be worked around.

Out of date or unpatched base or kernel components would be easily seen, notified & rectified.

Manufacturer retains control of their clever code in their chip and app layers.

All round just makes the devices more useful. A point that has to be appreciated by top leadership of manufacturers and integration customers. What techs think on both sides won't matter to them.

 

New discussion

Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.

Newest discussions