Kangji automatic water vending machine storage card arbitrary modification of balance

A design vulnerability exists in the stored-value card of the kangji water vending machine. The encrypted sector is simple, and the stored-value amount is clearly indicated. It is easy to tamper with without a reconciliation mechanism.
According to the dump of card data, the first data of 2nd and 3 sectors is used, the access password for the slice is encrypted with one card and one password. The two sectors have the same password. The default password for other unused sectors is FF. One of the vulnerabilities is that the KeyA of the encrypted sector is encrypted by a series of algorithms based on the card UID, while KeyB is a simple 00 00 00 00. if you want to modify the card balance, you will know that this KeyB is sufficient. Because you can do anything except card issuance. The following data is analyzed. the first data in the second sector is C0 D1 D2 06 06 00 00 00 00 00 00 00 00 00 00 00 00. After analyzing multiple cards, we find that the data is a fixed value, some users may report that the water vending machine of the company cannot sell water cards sold by different agents. They suspect that this data is the agent code. The first data in the third sector is 0X0X0X0X0X00 00 00 00 00 00 00 00 00 00, and X is a 0-9 number, with a total of 6 digits, unit: Minute. The data in this section is the content of the storage balance and is not encrypted, if your card balance is 123.45 yuan, the data will be 00 01 02 03 04 05 00 00 00 00 00 00 00 00 00 00 00. Next, let's talk about the one-card-one-password algorithm of the card. The algorithm is very simple. UID 9E FC 41 6E, KeyA 7B 1D D8 AB 1A 49, KeyB 00 00 00 00 00 the first four encryption algorithms of the password are the same, each byte of the UID, the value of 0x119 in hexadecimal notation is subtracted, and the remainder is obtained by 0x100. For example, the first digit of the password is 0x7B = (0x119-0x9E) % 0x100, and the fifth digit is fixed 0x1A, the sixth digit is the four UIDs that are added one by one and then used for the remainder of 0x100. For example, the sixth digit 0x49 = (0x9E + 0xFC + 0x41 + 0x6E) % 0x100. You can use any mf1k or mf4k card to issue a card once you know the one-key algorithm.
Solution:

1. Use a more advanced encryption method for the stored value sector, instead of this simple reversible method 2. Use anti-tampering verification value MAC for the stored value data, and generate random data based on the card UID and transaction time, once the transaction ends, the balance and verification value of the transaction result calculation are bound to each other to prevent tampering. 3. The CPU card is used, and the upgrade costs are high. In fact, reasonable logic does not apply to CPU cards, the same security level can also be reached 4. the reconciliation mechanism is used to prevent tampering and the upgrade cost is high. You can consider new models later.