2

I am testing a USB security dongle that is for licensing a software. I found that it is possible to share a USB dongle via these ways:
1)over network(via many free and commercial softwares)
2)using VMWare sessions
3)Using a USB HUB hardware

so that an end user can buy one dongle and use it for many computers.(however as I found there is no way to share and use dongle simultaneously, and he must switch between computers.please tell me if I am wrong )
The main question is:

Is there any solution to prevent a USB dongle from sharing over network,VmWare or HUB switches?
assume that we are the producer and we can change the hardware,software and the driver of usb dongle

JackB
  • 43
  • 1
  • 5
  • You write: "however as I found there is no way to share and use dongle **simultaneously**, and he must switch between computers". Isn't it the genuine task of a dongle to allow non-simultaneous usage? – Hartmut Pfitzinger Nov 13 '16 at 10:26

1 Answers1

1

I think at least theoretically it would be possible to create a USB device that maintains state, resetting it when plugged in and maintaining it whatever happens until getting disconnected. There would also be some cryptography involved to make it reasonably secure (the state would need to be unpredictable to prevent sharing), but with driver support, you could achieve a USB dongle that cannot be used simultaneously by multiple computers.

Talking about non-simultaneous use, I'm fairly confident it's impossible. Any identifier your device receives or retrieves from the computer could be forged, if not else then by a modified version of your driver. Any secret the USB dongle and the computer would share could be accessed by a user and copied to another computer, etc.

But the question is not really this I think.

You are already investing a lot of resources (money) into making your application depend on a USB dongle (which by the way will affect user experience as well, but that's a completely different story). Is the value you are trying to protect really so much that it's worth this effort?

Any defense should be proportionate to the risk. If you can make it hard enough for an attacker to get around your protections, that is probably good enough already. So the question you have to answer is how the current protection relates to the risk of some users being able to use your application on multiple computers, even if your license does not allow this. Most businesses would not do that.

Also keep in mind that what you are protecting is just software. You can produce a USB device, invest a lot of money and make it as secure as possible, but the check sent to the device in your application is just code given to your endusers. With a reasonably good dongle, it will be much easier to just remove the check from your application. Just look back at previous attempts of either the gaming industry or business applications - there is always a crack eventually, be the protection hardware based or else.

So the bottomline is, you just can't protect anything given to your endusers.

Gabor Lengyel
  • 14,129
  • 4
  • 32
  • 59