Years ago(2005), I was contracted to create a solution similar to these. The method that I used was simply to route all outgoing traffic to the device itself. Running a webserver on the device, I provided a page that would request a code. Submission of an appropriate code would trigger a CGI to add a rule to the top of the firewall allowing the submitter to jump the reroute rule. The rule added would include the submitter's MAC address so the IP was unimportant. After a configured amount of time, the system would expire old MACs and remove the associated rules. This meant that to continue use of the system, you had to submit a new code which would re-add you. Since the system expired MACs from a timestamp'd list counting only newest entries, a side-effect was that you could 'refresh' your time with every code submission. The time did NOT stack, so I didn't have to worry about someone purchasing 3 items separately at a location and obtaining 3 codes to use successively which would allow them 72 hours of continuous usage. Again, the aforementioned method did NOT work, so the shop owner was secured from such an attempt.
The only way to 'bypass' the firewall was to spoof one's MAC address to that of another existing user. The problem with this method, however, is that the other user had to have active time left and that means potential traffic confusion if the target is still there. However, if they are not there and they still have active time before expiration, then spoofing their MAC would work. Of course, once that rule was expired, another purchase would need to be made OR another target MAC would have to be spoofed. This could result in a very unstable connection, particularly if the router's configured expire time was 1 hour or less.
Overall, the system that I came up with was extremely simple and I only later discovered its elegance. Because it is so simple, the same concept is easily reproduced on many, many different devices of similar purpose.
It should also be mentioned that commercially-supported devices often need maintenance. As such, a commercial entity *may* decide to provide a bypass rule which matches a specific set of MAC addresses. Because MAC addresses are generated per-device, the first few octets represent the producing company, model, series, etc. As such, a maintenance device could match half-open MAC rule which would define a required model, but leave the specific NIC ID as a wildcard. Doing so would permit any maintenance personnel with an appropriately supplied device use of the system for free. Thus, a hacker *could* feasibly spoof a MAC address that matches a maintenance ID and may find a loophole through the system. This is only a possibility, not a definitive approach.
