Hardware-level anti-piracy protection

Question

My friend has a company that sells hardware products (like a finger print reader) to customers. In each of their machine, they embed an "encryption chip", which is like a dongle (but embedded into their product, not a usb stick): the software on machine queries certain information from the chip through encryption (both the software and dongle share the encryption key) to continue execution. This is mainly to prevent piracy (making a copy of the machine and software).

The problem is, these embedded dongles are purchased from third-party security companies. So there are pirates out there that purchase an embedded dongle from the same security company, then use a microscope to read the chip's actual content and that way they can fairly easily manage to get the encryption key, thus rendering the dongle embedded in the customer's product useless.

To resolve this issue, seems there are 2 ways:

1) Find a very reputable and professional security company that specializes in embedded dongles that can prevent this kind of very sophisticated "physical hacking"?

2) Use a type of CPU (or any other hardware component) with a unique serial id that can be read by the software, this way it binds each software to a unique machine. Similar to how ISP's bind the MAC address of your NIC to their server to prevent multiple PC's using the Interent (but those are easily broken by MAC spoofers that can CHANGE the MAC of a NIC).

Any other suggestions/guidance? Thanks!

Answer 1

Rule 1: Piracy cannot be prevented. There are no technical means possible that magically allow some person to use the product and some person not to use the product.

It's impossible to tell valid people from invalid people. They're all people. They always seem to know the passwords, have the dongles, be running on the approved CPU, have the right IP address, have the right shoe size.

Even fingerprints can be spoofed (watch Mythbusters for proof.)

This is a matter of trust, not technology. How does a machine know whom to trust?

In fact, it cannot know whom to trust. Only a person establishes a trusting relationship with another person.

Machines are just machines. Any time you allow one person to use the machine, another person can (and eventually will) gain access.

Answer 2

Here is a very good DRM article:

http://www.authorama.com/microsoft-research-drm-talk-2.html

In DRM, the attacker is also the recipient. It’s not Alice and Bob and Carol, it’s just Alice and Bob. Alice sells Bob a DVD. She sells Bob a DVD player. The DVD has a movie on it – say, Pirates of the Caribbean – and it’s enciphered with an algorithm called CSS – Content Scrambling System. The DVD player has a CSS un-scrambler.

Now, let’s take stock of what’s a secret here: the cipher is well-known. The ciphertext is most assuredly in enemy hands, arrr. So what? As long as the key is secret from the attacker, we’re golden.

But there’s the rub. Alice wants Bob to buy Pirates of the Caribbean from her. Bob will only buy Pirates of the Caribbean if he can descramble the CSS-encrypted VOB – video object – on his DVD player. Otherwise, the disc is only useful to Bob as a drinks-coaster. So Alice has to provide Bob – the attacker – with the key, the cipher and the ciphertext.

Hilarity ensues.

Just about the only way to limit pircay of your software is to obfuscate the activation/regiustration algorithm as much as possible. Here is how the big boys do it:

http://en.wikibooks.org/wiki/X86_Disassembly/Code_Obfuscation

Answer 3

I've worked on a number of products with software and hardware measures to try to block piracy. Ultimately, you can't block pirates, because if they can't spoof the "key" they can just hack your code to skip the check for the key -- even if your code is compiled.

What you do achieve by using stronger anti-piracy measures is to inconvenience all your law-abiding customers and make it hard to use your product.

The best anti-piracy solution I know is to make a product whose value is access that the software gives to data or services not installed on the customer's machine. For instance, a license on an internet site that you control, so you can monitor customer's use of their license and disable it if you detect them trying to use their license illicitly.

Answer 4

DRM is bad for your customers and bad for you, and in the end, if your product is good enough, the pirates are going to get it.

So, if you can't win, why not join them?

Stop DRM. Watermark all copies individually and record who you sell what to. Don't tell them you did. Give them a license key.

Wait until the pirates start their operation.

Check the pirated copies, sue the company(ies) selling or leaking the code to the pirates for big cash. Unlike individuals, if they sold it, they must keep a record.