Avalehe pilt
For the user of ID-card and mobile ID
09/26/2017

On 30 August, an international team of researchers informed the Estonian Information System Authority (RIA) of a vulnerability potentially affecting digital use of Estonian ID cards issued since October 2014. Read more



Is the ID card safe?

As a personal identity document, all ID cards are completely secure.

Digital misuse of the ID-card by using the reported vulnerability is complicated and not cheap; we know of no instances where this has happened. Based on the current assessment, the use of an ID card is currently secure for online authentication and digital signing.

The digital use of cards issued before 17 October 2014 is not affected by the potential security vulnerability. Mobile ID is not impacted either.

All current steps are primarily preventive measures to prevent the exploitation of the possible vulnerability. RIA and PPA are monitoring the situation and will react as soon as the risk level changes.


How can I use the ID card?
All services can, for the time being, be used in the same way as before. The ID card remains valid both as an identity document and as a travel document until the expiry date indicated on the card. Nothing will change for Mobile-ID users, either.


What is going to change for me?
Until the certificates have been suspended or cancelled, nothing will change for the card holder. The ID card can be used as before.

If the user wishes to suspend their digital certificates, they can do so by calling the ID card support line +372 6773377 (1777 if dialling within Estonia). If the certificates are closed by the competent authorities due to the security risk, the cardholder will be notified by e-mail and the steps to be taken will be made public.


Do I need to apply for a new ID card?
The ID card remains valid as an identity document until the expiry date indicated on the card and can be used for travel within the European Union. A valid residence card with a foreign passport is valid for travel.

If the ID card expires, a new card must be applied for. In any other case, there is no need to apply for a new ID card.


Are there alternatives to the ID card?
Mobile-ID can be used instead of an ID card when using electronic services. You can also use Smart ID or a security token issued by many other services, such as banks. Using code cards is not recommended; their security risks are significantly higher.


How do I get Mobile-ID?
Contact your mobile carrier for a mobile-ID SIM card. Mobile-ID must then be activated on the politsei.ee website. You can start using Mobile-ID immediately after activation. After that, if the user wishes, the ID card certificates can be suspended. If the user wishes to suspend their digital certificates, they can do so by calling the ID card support line +372 6773377 (1777 if dialling within Estonia).


What does Mobile-ID cost?
The operator fee is currently €1 per month.


Where can I get advice?
The ID card help line number is 1777 (+372 6773377 if calling from outside of Estonia With regards to Mobile-ID, you can get advice from your mobile operator, including the operator’s hotline and online service.


Are the mobile operators ready for this workload?
Mobile operators are aware of the issue and have planned accordingly, but longer lines can be expected.


TECHNICAL ISSUES


What does this vulnerability mean? Is the ID card hackable? What data do you need to generate the secret encryption key?
Theoretically, the reported vulnerability could facilitate the use the digital identity for personal identification and digital signing without having the physical card and relevant PIN codes. However, knowing the public key of the certificate is not enough to unlock the card – powerful and expensive computing power to calculate the secret key and special custom-made software for signing are also needed. The ID card software is not suitable because it requires the ID card to be placed in the card reader.

Exploiting an ID card is extremely difficult and not cheap, and we do not know any cases where an attempt has succeeded.

Many services (such as banks) additionally require a username or password to log in to the service – these must also be known to exploit the vulnerability.


How can I cancel my card certificates? Should this be done?
The certificates can be suspended on the ID card help line 1777 (+372 6773377 if calling from outside Estonia) should a user wish to do so. For more information, go to the id.ee page.

Certificates may be suspended or cancelled by the individual card owner or by the service provider. There is currently no need for this. Should the situation change, the cardholders will be notified immediately.

If the cardholder wants to exclude the possibility of the ID card being compromised, they can acquire Mobile-ID and, after activating it, suspend or cancel the ID card certificates. If the certificate is suspended, the certificate can be reactivated; if cancelled, the card can no longer be digitally used.


Can I cancel the signing option only?
Authentication and signing can only be suspended or cancelled simultaneously, as the security vulnerability affects both.


Under what circumstances can the authorities cancel my ID-card certificates?
Certificates will be revoked if there is a real risk that cards will be compromised. The cardholders will be notified of the cancellation.


How and when can I replace the flawed ID card with a new one?
A new ID card solution is being developed and applying for a new ID card will currently not fix the reported vulnerability. The ID card is still valid as proof of identity.


Can the flaw be fixed online?
Not yet, but we are working on a solution.


What change happened in October 2014? Why is this the cut-off date?
In October 2014, a new chip was introduced to the ID cards. This new generation chip was faster, based on the latest technology and, therefore, considered more secure. The French and German security certificates for the chips confirm their compliance with all security requirements. The same chip is used in the identity card of several other countries, as well as bankcards and access documents. The security risk arose because of the combination of the new chip and the software.


What happened to the certificates to raise concern about their security?
Given the rapid pace of technological change, it is a normal evolution that the cryptographic algorithms on which the certificates are based become less secure over time. It is precisely for this reason that ID card certificates are updated regularly.

The reported vulnerability is significant due to the increase in computing power in recent years. A few years ago, exploiting such a vulnerability would have been significantly more expensive and thus more unlikely than it was today.


How did you find out? Why are you talking about it now?
The possibility of a vulnerability was reported by an international team of researchers through official channels. If any such security threats are discovered, the risk of exploiting them grows by leaps and bounds. That is why we published the information we received and also introduced proactive measures to reduce security risks.


What can I do to protect my card?
ID card certificates can be suspended if the ID card is not used for transactions. Alternative authentication tools, such as Mobile-ID, are available.

RIA and PPA experts will closely monitor the situation, and if necessary, the ID card certificates will be suspended. Both the affected users and the general public will be notified.


MISUSE

How and when can I check if someone has misused my card/identity?
If you suspect that your ID card has been misused, contact the police and inform the RIA Computer Emergency Response Team (cert@cert.ee).


Does the state still guarantee a digital signature? For how long?
The digital signature given with the ID card is valid, even after the certificates have been suspended or cancelled. Currently, the normal use of ID cards is continued.


Do banks trust the Estonian ID card?
Banks trust the ID card and banking services continue to be accessible with an ID card.


What actions can be called into question? Do I have to perform them again?
All signatures and transactions from before and after October 2014 with an ID card are valid.


Did state authorities not check the security of the chips?
The compliance of the ID card and the chip with security requirements has been certified by the competent German and French certification bodies and it has a valid security certificate.

After the report of the vulnerability, we are taking steps to minimise the risks: we closed the ID card public key database, our experts are analysing vulnerabilities and exploits and developing solutions to maintain the security of the ID cards at the highest level.


How and when did you know about this security risk?
On 30 August, an international group of researchers informed RIA of the security risk discovered.


Who are these scientists?
An international group of cryptographers from recognized universities, who informed RIA through official channels.


Did the cryptographers actually breach some cards?
They proved that it is mathematically possible if there is sufficient computational ability. None of the keys from Estonia are known to have been breached.


Have you verified the assertions made by the cryptographers? Could you repeat the experiment?
Verification takes time. RIA is working on it in cooperation with research institutions. The current results confirm that the study can be considered reliable and that the security risk is real. None of the keys known to be compromised.


Where is this research published? Is it possible for anyone to breach the security of ID cards based on this information?
The research will be published in the autumn at an international conference. Disclosing specific attack tools is not common practice in academic work and industry research.


Why have you not yet cancelled the cards? Whose decision is it to cancel them?
This is a security risk that has not yet been realised. In the current situation, cancellation is not justified and would cause considerable inconvenience for many people.


What have you done so far?
RIA and experts from Estonian research institutes have been involved in mapping the possible reported vulnerability, risk mitigation and solutions. This has been done in collaboration with partners and service providers.


ELECTIONS

Will online voting still go ahead? How?
RIA has briefed election authorities about the possible vulnerability risk. The National Election Committee will decide on Internet voting in the October 2017 elections.


Is online voting secure?
Online voting is no more at risk than other services. Large-scale vote fraud is not conceivable due to the considerable cost and computing power necessary of generating a private key.