We are considering using the vendor and product ID of a USB device (obtained via IOKit) to unlock certain features of an application. I'm aware that these values can be spoofed, but I'm not sure how easily it can be done on OSX. What is involved in spoofing the vendor and product ID? Is it something that a non-programmer can do fairly easily?
I suspect it would be fairly easy (for a programmer) to create a kext that creates a reasonably realistic IOUSBDevice object in kernel space. However, once done anyone would be able to load it.
It may also be possible to build a codeless kext using AppleUSBMergeNub to masquerade a device as another (though I haven't tested this, it looks like it might work, assuming you only try to match the IOUSBDevice without actually using it).
It would probably be easier to just hijack your API calls in userspace and give your software the answers it expects.