iceman1001
commented
4 years ago This is an older idea which has been bounced around. It resurfaces every now and then. Your opt-in / opt-out describes accurate some of the issues.
The most important issue is tracking, the community is very privacy concerned. Since there many gov/police/mil/ lock vendors/ pentest/redteam/ users of this project there are a intricate balance to uphold.
Covert entry (mil/police/gov) is generally not interested in a phone home/ share on internet feature because of obvious reasons.
red team/pentesters etc, usually operates under NDAs.
I recently started to add a function to upload, out-in style, to a place. However that would have to be a place which isn't targeted for take downs from said formented organisations.
The benefits of getting keys shared would benefit from same region, since systems usually exist in certain places, ie, gps coordinates or general region labelling.
Ie, say you are in Sweden, you want ideally to test all your own known keys, all known keys in the region, all known keys based on system identifcation, then in the end try all kinds of known keys.
The default list is large as it is, 900 entries takes some time to try all of them. Even if we optimized it.
The autopwn / fchk / chk etc commands should already try found keys against other sectors. The process for a Mifare card is;
- identify it
- chk / fchk
- use darkside / nested / hardnested / according to previous steps or just use autopwn.
Depends on purpose. Speed ?
When it comes to dictionary and interoperability, like MCT app, then that app already has a copy of this dictionary and is regular synced.
Back to sharing keys.
- place to upload against.
- pull latest? upload to github?
- preferbly opt-in. Noone wants phone-home enabled in the Pm3 client be default.
How to maintain the trust of a completly anon uploading/sharing?
mwalker33
Is your feature request related to a problem? Please describe. No way for users to share new keys that are discovered through nested/sniff/bruteforce/offline attacks
Describe the solution you'd like Add functionality to check keys against local dictionary and offer to upload newly found keys so they are available to all
Additional context This should be completely anonymous. Opt-in vs opt-out?
Opt-out provides guaranteed new keys, and generally most usage of pm3 client is by people who are skilled enough to read a document indicating how to opt-out, but introduces issues with keys being uploaded without user consent.
Opt-in ends up with same problem, most users won't share keys because they don't know how, but ensures no unwanted keys are uploaded without user consent.
Is this something that would be useful for the scope of this project? What type of usage does mifare have to make this feature worth it where a different attack may work? Should it be part of the pm3 code-base or a separate external LUA script (and how does an external script tie in with default enabled?)