Avalehe pilt
Estonia resolves its ID-card crisis
12/08/2017


Around 330 000 security-risk affected Estonian ID-cards have been updated since the suspension of the 760 000 ID-card certificates a month ago.

The security vulnerability discovered in August affected around 800 000 Estonian ID-cards which belong to more than a half of Estonia’s 1.3 million population.

“In order to bypass the security risk we developed a software update in cooperation with SK ID Solutions and Estonian IT-companies,” said Margus Arm, head of the eID field at RIA. “This update and the ID-card renewal software enabled us to bypass the security risk without replacing all the security-risk affected cards. With the renewal software the card holders are able to renew their ID-cards either remotely from their own personal computer or at one of the police service points.” The software update was released on 25 October and active updating process started on 31 October.

“We started the updating process on 31st October and immediately experienced several technical problems,” said Margit Ratnik, the head of Identity and Status Bureau of the Police and Border Guard Board (PBGB). “We managed to overcome these issues and only a month later nearly half of the security-risk affected ID-cards have been updated and people can continue using the digital services with their ID-card. Estonians are used to our digital services and the ID-card is the cornerstone of our digital society.”

The security risk was discovered by an international team of researchers who informed the Information System Authority (RIA) on 30 August. The risk affected the chips used in ID-cards, residence permits, and digital IDs issued in Estonia as of October 2014. RIA notified the Police and Border Guard Board (PBGB) which is the authority responsible for issuing identity documents.

“If someone knew the public key of the certificate and had a powerful and expensive computing power to calculate the secret key then they could have theoretically unlocked the card,” explained Margus Arm.

The security risk affected millions of chips around the world because the chip is being produced by a multi-national company Infineon. Thus the security vulnerability affected other international companies such as Microsoft and Google, as well as other states such as Austria, Spain and Slovakia.

The risk of the ID-cards being cracked increased in time. Therefore PBGB decided to suspend the certificates of the affected ID-cards from 3 November. Owners of the security risk-affected ID-cards needed to update their certificates to continue using e-services.

“After suspending the certificates we extended the opening hours of police service points and also opened temporary service points at shopping centers during weekends. As of today, 327 000 users have updated their ID-card certificates which is almost half of all the affected ID-cards,” said Ratnik. 

The certificates of the affected ID-cards that have not been updated will be permanently revoked on 1 April 2018. Updating process will continue until 31 March 2018.

In addition to ID-card, people can use mobile-ID to use Estonian digital services. The number of mobile-ID users has increased by 26 000, reaching 160 000.

Estonian authorities offer around 1500 state services online – only marriages, divorces and real-estate transactions are not available online. Private sector offers around 5000 digital services from online banking to telecom services.

“Most likely this will not be the last security risk concerning the ID-card or e-state because technology is constantly developing,” said Margit Ratnik. “Experience of cooperation between the state, the service providers and ID-card users show that it is possible to solve complex problems very swiftly.”

Helen Uldrich
Communications Manager
Estonian Information System Authority
helen.uldrich@ria.ee
+372 5165258

Kristjan Lukk
Press Officer
Estonian Police and Border Guard Board
kristjan.lukk@politsei.ee
+372 58727356

 
Back