Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Ethernet MAC address as activation code for an appliance?

Let's suppose you deploy a network-attached appliances (small form factor PCs) in the field. You want to allow these to call home after being powered on, then be identified and activated by end users.

Our current plan involves the user entering the MAC address into an activation page on our web site. Later our software (running on the box) will read the address from the interface and transmit this in a "call home" packet. If it matches, the server response with customer information and the box is activated.

We like this approach because it's easy to access, and usually printed on external labels (FCC requirement?).

Any problems to watch out for? (The hardware in use is small form factor so all NICs, etc are embedded and would be very hard to change. Customers don't normally have direct acccess to the OS in any way).

I know Microsoft does some crazy fuzzy-hashing function for Windows activation using PCI device IDs, memory size, etc. But that seems overkill for our needs.

--

@Neall Basically, calling into our server, for purposes of this discussion you could call us the manufacturer.

Neall is correct, we're just using the address as a constant. We will read it and transmit it within another packet (let's say HTTP POST), not depending on getting it somehow from Ethernet frames.

like image 378
Mark Renouf Avatar asked Aug 27 '08 13:08

Mark Renouf


People also ask

Is an Ethernet Address a MAC address?

The "Ethernet Address" field for the ethernet hardware port is your MAC address.

What is a valid Ethernet MAC address?

Ethernet hardware addresses are 48 bits, expressed as 12 hexadecimal digits (0-9, plus A-F, capitalized). They might be written unhyphenated (e.g., 123456789ABC), or with one hyphen (e.g., 123456-789ABC), but should be written hyphenated by octets (e.g., 12:34:56:78:9A:BC).

Do Ethernet ports have MAC addresses?

A media access control address (MAC address) is a unique identifier assigned to a network interface controller (NIC) for use as a network address in communications within a network segment. This use is common in most IEEE 802 networking technologies, including Ethernet, Wi-Fi, and Bluetooth.


3 Answers

I don't think that the well-known spoofability of MAC addresses is an issue in this case. I think tweakt is just wanting to use them for initial identification. The device can read its own MAC address, and the installer can (as long as it's printed on a label) read the same number and know, "OK - this is the box that I put at location A."

tweakt - would these boxes be calling into the manufacturer's server, or the server of the company/person using them (or are those the same thing in this case)?

like image 98
Neall Avatar answered Sep 21 '22 23:09

Neall


I don't think there's anything magic about what you're doing here - couldn't what you're doing be described as:

"At production we burn a unique number into each of our devices which is both readable by the end user (it's on the label) and accessible to the internal processor. Our users have to enter this number into our website along with their credit-card details, and the box subsequently contacts to the website for permission to operate"

"Coincidentally we also use this number as the MAC address for network packets as we have to uniquely assign that during production anyway, so it saved us duplicating this bit of work"

I would say the two obvious hazards are:

  1. People hack around with your device and change this address to one which someone else has already activated. Whether this is likely to happen depends on some relationship between how hard it is and how expensive whatever they get to steal is. You might want to think about how easily they can take a firmware upgrade file and get the code out of it.

  2. Someone uses a combination of firewall/router rules and a bit of custom software to generate a server which replicates the operation of your 'auth server' and grants permission to the device to proceed. You could make this harder with some combination of hashing/PKE as part of the protocol.

As ever, some tedious, expensive one-off hack is largely irrelevant, what you don't want is a class-break which can be distributed over the internet to every thieving dweep.

like image 44
Will Dean Avatar answered Sep 22 '22 23:09

Will Dean


The MAC address is as unique as a serial number printed on a manual/sticker.

Microsoft does hashing to prevent MAC address spoofing, and to allow a bit more privacy.

With the only MAC approach, you can easily match a device to a customer by only being in the same subnet. The hash prevents that, by being opaque to what criteria are used and no way to reverse engineer individual parts.

(see password hashing)

like image 42
Christopher Avatar answered Sep 21 '22 23:09

Christopher