Subscriber Discussion

Do Any Cameras Allow MAC Spoofing?

U
Undisclosed #1
Oct 08, 2016
IPVMU Certified

As in thru the GUI.

Wouldn't this pose a problem for VMSes who license by MAC?

JH
John Honovich
Oct 08, 2016
IPVM

Why would a camera legitimately want / include MAC spoofing?

I have never heard of cameras doing that but also I have never checked.

HL
Horace Lasell
Oct 08, 2016

You've proposed an interesting thought experiment.

Suppose you had two cameras using the same MAC address, with both using the same DHCP lease. One possible outcome might be that the VMS would just accept the interleaved packets. How could that video be useable? Wouldn't the two cameras' P and B frames be interleaved and unrelated?

(1)
U
Undisclosed #1
Oct 08, 2016
IPVMU Certified

To begin with, I'm not sure how the switch would react to frames originating from different physical ports with the same source MAC, but that's not the use I'm talking about.

So, in the worst case, someone could buy a copy of ONSSI/Milestone etc, and buy 16 legit licenses and register them to 16 MAC addresses.

Then one could copy the system image on to another PC, which is part of a different unrelated system, or even sell the image on the internet with the instructions to use cameras that allow MAC spoofing and change them to what the image requires.

Maybe this wouldn't work, and I'm not advocating it certainly, just researching it.

(1)
U
Undisclosed #1
Oct 08, 2016
IPVMU Certified

Why would a camera legitimately want / include MAC spoofing?

Do you consider the reasons home routers allow it legitimate? Usually its called MAC cloning, and lets you take your PC's MAC address or type one in.

Regardless, a not so scrupulous mfr of cameras (if any exist), might include it to let people circumvent licensing. So, money is the reason in that case.

Its not like its any technical feat (you can do it thru telnet/root), and I don't think people wouldn't buy it because it was included. VMSes might not write direct drivers for such cameras/mfrs, but I'm thinking about cameras that are typically ignored anyway, and can use ONVIF.

Also, maybe there is some technical reason it couldn't be used to get around licensing as well.

Avatar
Brian Karas
Oct 08, 2016
IPVM

Home routers allow it to make setup easier (clone your PC's MAC address into the router for cases where the MAC is tied to the cable modem).

It's funny you bring this up, I had the same thought about VMS license stuff. How does Video Insight "know" a camera is from Panasonic, and does not need a license? I'm guessing it might be more of an API thing than just MAC though. Would make it easier to include other cameras in the future and/or switch OEM's (for OEM'd product) when desired.

For legit use cases the only thing I can think of is to help when swapping out a failed camera that has a license tied to it. And because not all VMSes handle licenses that way, this would be a VERY niche thing, not making it worth the engineering effort to implement (however simple it may be to do so).

(1)
U
Undisclosed #1
Oct 08, 2016
IPVMU Certified

It can make home router setup easier, but the reason for it being included was to allow you to side-step early ISP restrictions of single computer usage.

So maybe not so legit.

EP
Eddie Perry
Oct 08, 2016

For Panasonic and Video sight if i remember correctly they use snmp to get the model and serial number and check against that.

I cant see spoofing a mac at the camera level though... only a handful of cameras I can think of that have the hardware to attempt that, not to mention I doubt it would be able to to much else.

U
Undisclosed #1
Oct 08, 2016
IPVMU Certified

"only a handful of cameras I can think of that have the hardware to attempt that, not to mention I doubt it would be able to do much else."

Here's an attempt:

Avatar
Josh Hendricks
Oct 09, 2016
Milestone Systems

I'm not aware of any cameras that have this as a documented feature. Though I have heard of folks using Hex editors on firmware to force a specific MAC, but this is extremely rare as far as I know.

Our current licensing model uses some of the read-only system information as an identifier so if someone were to do this with XProtect Professional for example, we would see multiple registrations of the same MAC address across different sites and this would eventually raise a red flag.

In XProtect Express, the license is locked to the server and not individual cameras, so spoofing MAC addresses doesn't matter. You can chop and change cameras all you want. But if XProtect Express is installed in a virtual environment, it falls back on the MAC-based license model to prevent cloning of the VM as a way around licensing.

(2)
U
Undisclosed #1
Oct 09, 2016
IPVMU Certified

Our current licensing model uses some of the read-only system information as an identifier so if someone were to do this with XProtect Professional for example, we would see multiple registrations of the same MAC address across different sites and this would eventually raise a red flag.

Does Milestone not allow offline licensing using keys?

Avatar
Josh Hendricks
Oct 09, 2016
Milestone Systems

We do have an offline activation process, but we did away with manually handling Device License Keys years ago. The process now is to export a license request file from the server, upload it via the Software Registration portal, and an activated license is emailed back to you. Import that activated license file which effectively contains the device license keys, and the system is licensed.

There is a 30-day grace period between when the devices are added, and when they need to be activated, so if you need to book a site visit a couple weeks later to come back and import the license file you can do so.

(2)
U
Undisclosed #1
Oct 09, 2016
IPVMU Certified

And those activated licenses will not import even on a cloned server?

Avatar
Josh Hendricks
Oct 10, 2016
Milestone Systems

The initial license file will import on any server (the license file received after purchase), but you need to activate the license/server in order to get the devices to be licensed instead of running in 30 day grace.

The license request file exported from the server is encrypted/signed and contains a hardware signature for the server. I don't know what all pieces of information are used to produce the hardware signature but I know it would be very difficult to import the same activated license file on two different servers even if they are cloned and the camera MACs were spoofed.

However... where there is a will there is a way. No licensing system is bulletproof.

(3)
U
Undisclosed #1
Oct 10, 2016
IPVMU Certified

...but I know it would be very difficult to import the same activated license file on two different servers even if they are cloned and the camera MACs were spoofed.

One question, if you now have a system that restricts the VMS software to only one server, why have the MAC licensing at all?

Why not just sell a 16 channel, any MAC license?

Avatar
Josh Hendricks
Oct 10, 2016
Milestone Systems

...if you now have a system that restricts the VMS software to only one server, why have the MAC licensing at all?

That's what we do for the single-server products (XProtect Essential and XProtect Express). The server itself is licensed and the license cannot be activated again on different hardware without first requesting a license reset. Cameras can be swapped out without re-activation.

But in the event XProtect Essential or XProtect Express are installed on a VM, it is too easy to clone the VM so we activate based on both server hardware and device mac addresses.

In XProtect Professional and up which are all multi-server products, we activate based on both the server hardware and MAC address, but we do not limit the number of physical servers the software can be activated on.

(3)
U
Undisclosed #1
Oct 10, 2016
IPVMU Certified

In XProtect Professional and up which are all multi-server products, we activate based on both the server hardware and MAC address, but we do not limit the number of physical servers the software can be activated on.

Ok, I think I understand what you are saying. That's why you said "it would eventually raise red flags", meaning that it would allow you to activate multiple servers but then it would look weird to someone later, who would investigate.

Thanks for your detailed explanations!

Avatar
Josh Hendricks
Oct 10, 2016
Milestone Systems

No problem U1!

Keep me posted on your license cracking efforts ;)

(I'm just joking by the way)

JH
John Honovich
Oct 10, 2016
IPVM

Keep me posted on your license cracking efforts ;)

(I'm just joking by the way)

Unfortunately, he's not joking! ;)

Joshua, thanks for the explanation, 1 has mostly an academic interest but your explanations are helpful generally!

U
Undisclosed #1
Oct 10, 2016
IPVMU Certified

Yes, mostly academic.

;)

(1)
Avatar
Josh Hendricks
Oct 10, 2016
Milestone Systems

@John - I can see why you would think I wasn't joking as an employee of Milestone but, respectfully, I'd rather not have words put in my mouth.

I understand the academic nature of U1's questions and I thought this was an interesting thread. The more people with an interest in low level details like this the better. If I was actually concerned about him/her attempting to crack our licensing I wouldn't have posted anything at all. License schemes can sometimes be complicated, and by posting my explanations I hope in some small way it makes our customers/partners lives easier.

My last comment was simply an attempt at humor fallen flat, recognizing the dichotomy of the thread as it could be seen as academic in both a white hat and black hat perspective. But to reinforce my point, if I was in any way concerned the intentions were even a shade of gray I wouldn't have commented at all.

Cheers,

Josh

U
Undisclosed #1
Oct 10, 2016
IPVMU Certified

lol. He meant me. As in U1 is not joking.

JH
John Honovich
Oct 10, 2016
IPVM

you would think I wasn't joking as an employee of Milestone but, respectfully, I'd rather not have words put in my mouth.

What? What words do you think I've put in your mouth? I am genuinely confused.

Avatar
Josh Hendricks
Oct 11, 2016
Milestone Systems

When you said "he's not joking", I took it to mean that I was not joking and you meant I was essentially accusing someone of attempting to bypass licensing schemes rather than asking questions at academically. A simple misunderstanding :)

UE
Undisclosed End User #2
Oct 09, 2016

Pretty sure it will work, if you duplicate the setup on a independent network - pretty sure it will fail, if you trying to duplicate the system in same network - switches don't like to have same MAC on two (or more) different ports... ;)

(1)
New discussion

Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.

Newest discussions