0

I have a software client that I am selling to a very niche market. I am offering a 30-day free trial and I wanted to make sure that people who haven't purchased a product activation key would not be able to use the software after 30 days from their first time using it. I looked around and saw that people were recommending using the MAC address of the machine's first NIC card as a unique identified of the machine.

I sold about a dozen copies of the software and all was working fine. Then this past week, two new buyers have been having problems. When the software checks with my website, it also deposits log files that tell me that the MAC address changed between sessions for these two clients.

For one machine, it changed once after the first session. For another, it seems to change every 3 or 4 times my software is invoked.

I now see articles on the net about being able to spoof the MAC address. Is it possible that their firewall or other security settings are changing this MAC address? I am using the following C# code to retrieve the MAC address, is this maybe giving me something I wasn't expecting?

NetworkInterface.GetAllNetworkInterfaces()[0].GetPhysicalAddress().ToString()

I just noticed that both of these clients are located in Canada. Don't know if that matters, it does seem quite a coincidence, though...

The one client is not running VMWare. Her machine is running "Trend Micro" security, if that matters...hhhmmm...

Chuck
  • 203
  • 6
  • 16
  • 2
    Do they run it on a real hardware? – zerkms Jan 25 '15 at 22:03
  • MAC address can be changed on both Windows and Linux – Mustafa Chelik Jan 25 '15 at 22:03
  • If they change their MAC Adresse it's quite strange since servers usually (!) get static IP leases (which are bound to the MAC address). – jAC Jan 25 '15 at 22:04
  • 2
    You should rely on something that can not be changed, like CPU-Id – Mustafa Chelik Jan 25 '15 at 22:04
  • For your info [How to detect the original MAC address after it has been spoofed?](http://stackoverflow.com/questions/9546228/how-to-detect-the-original-mac-address-after-it-has-been-spoofed/9546552#9546552) – Steve Jan 25 '15 at 22:05
  • or use a license file which validates only on App name+ver (maybe a GUID) + signature of elements from the PC. Windows Serial, Win Activation Code, CPU ID, UUID, Bios version are all decent candidates. – Ňɏssa Pøngjǣrdenlarp Jan 25 '15 at 22:18
  • OK, lots of good thoughts here. I've only found out today that the MAC address can be spoofed. I thought CPU IDs were not guaranteed to be unique. I like the idea of the Windows Serial Number, wish I known about this MAC issue before I deployed. – Chuck Jan 25 '15 at 22:30

2 Answers2

0

It might be a Virtual Machine:

Maintaining the MAC Address of a Virtual Machine (VMWare-specific)

If they are using VMs, then clearly they would have to take these steps on their side to be able to use your software.

Also, it could just be that they're ripping you off. :D When logging the MAC address on your weblog, it might also be good to log some other simple properties of that computer to rule that possibility out (or at least make it less likely).

Keep in mind, if they configure a single VM, and copy it around to colleagues, the link to the VMWare site indicates that this would result in distinct MAC addresses ... if this is not a business model you wish to support, you'd have to take this use case into account.

John Castleman
  • 1,552
  • 11
  • 12
  • I emailed the user and asked if they are running this. – Chuck Jan 25 '15 at 22:25
  • That's good, but going forward, you should probably account for virtualization in your security strategy ... it's not going away any time soon. – John Castleman Jan 25 '15 at 22:30
  • They aren't running a VM. – Chuck Jan 26 '15 at 19:08
  • Regarding the 'ripping off' comment, I put into my software a form that allows them to de-activate the software on one machine, so that it can be activated again on another machine. My gateway still enforces the concept that a given activation key can only be active on one machine at a time. This was to prevent someone from sending out their PIN and 'ripping me off'. Since they have the ability to move from machine to machine, the problem they are reporting is moot, since they are allowed to do that. (I had that scenario planned form the start...) Thanks! – Chuck Jan 26 '15 at 19:12
  • @Chuck sorry I couldn't be of more help - the VM thing is pretty much all I had. – John Castleman Jan 26 '15 at 19:19
  • Fair enough. Many of my users are (pardon the expression) little old ladies, so I don't expect too many sophisticated set-ups. Still, it's possible I'll get someone with such a set-up, so at least I'll know to ask abut this. Thanks! – Chuck Jan 26 '15 at 19:26
-1

I used the technique from Reliable method to get machine's MAC address in C# to come up with a list of the devices on my machine.

    Status  NetworkInterfaceType    Speed       GetPhysicalAddress()    Description
0   Down    Wireless80211           0           XXXXXXXXXXXX            Realtek RTL8188CUS Wireless LAN 802.11n USB Slim Solo
1   Down    Wireless80211           0           XXXXXXXXXXXX            Microsoft Wi-Fi Direct Virtual Adapter
2   Up      Ethernet                100000000   XXXXXXXXXXXX            Realtek PCIe GBE Family Controller
3   Down    Ethernet                3000000     XXXXXXXXXXXX            Bluetooth Device (Personal Area Network)
4   Up      Loopback                            XXXXXXXXXXXX            Software Loopback Interface 1
5   Up      Tunnel                  100000      00000000000000E0        Microsoft Teredo Tunneling Adapter
6   Down    Tunnel                  100000      00000000000000E0        Microsoft ISATAP Adapter

The problem is that I was always taking the first item in the list. Networks with Blackberry VPNs (and probably other things, including VMs) insert new devices whereever they see fit. Including the beginning of the list. For them, the order of the list changes a great deal.

So my resolution is to have my client send every Physical Address on the list in a pipe-separated field. The server will store one address, but will look against each item sent to it. If any match, then the client may start up.

This leaves one problem, how do I know at the time I register that I'm picking an address that will stay on the list (rather than one associated with a mobile unit that will likely walk away). I thought about storing the whole list on the server, but that gets complicated quickly. Instead, I'll store the first active one on the server (the first time it logs in). Then I'll monitor who is getting denied and update their address, try to catch patterns, then maybe see if I can code a self-heeling solution. The trick is doing so without negating all of the checks I've put in.

Community
  • 1
  • 1
Chuck
  • 203
  • 6
  • 16