On November 4, 2017 the Estonian authorities disabled the certificates of more than 760,000 national electronic ID cards due to a security vulnerability that could have compromised cards issued between October 16, 2014 and October 26, 2017, and possibly even earlier.
More so than most other countries, Estonia relies on digital technology for many basic services including getting prescription medication, voting, bank transfers, and digital signatures. In fact 98% of Estonians have an ID card that they are able to use as a valid travel ID within Europe, access health insurance, and pay taxes. Digital ID cards were introduced in 2002 and have become the cornerstone of the country’s e-services. Estonia has one of the world’s fastest broadband services and has established strong digital literacy, widespread internet connectivity and e-governance.
The certificate software within the blocked ID cards will be replaced with new, more secure one, in a national-wide effort to deal with the risk of privacy breach. These certificates were deactivated after a group of researchers from the Czech Republic identified a security flaw in the cards’ microchips that could have led to major breaches of citizen's personal data. The researchers found that the chips installed in ID cards issued between October 16, 2014 and October 26, 2017 (though possibly as early as 2012) were vulnerable to infiltration of both private and public keys and possible identity theft.
The chips were manufactured by Infineon, a microelectronics company with headquarters in the US and Germany, that provides services including government identification, mobile security and embedded security and trusted computing.
The Estonian government says that no infiltration has yet taken place, and that authorities disabled the affected ID cards as a precautionary measure to ensure no harm to citizen data. To guarantee that e-government continued to function, an estimated 35,000 people who use their ID card for their work, such as government officials and doctors, were updated to a safer version first.
On November 2, 2017 Prime Minister Jüri Ratas said in a statement:
E-riigi toimimine püsib usaldusel ning riik ei saa lubada Eesti ID-kaardi omaniku identiteedi vargust. Praeguse teadmise järgi ei ole e-identideedi vargust aset leidnud, kuid PPA ja RIA ohuhinnang näitab, et see oht on muutunud reaalseks.
The functioning of an e-state is based on trust and the state cannot afford identity theft happening to the owner of an Estonian ID card. As far as we currently know, there has been no instances of e-identity theft, but the threat assessment of the Police and Border Guard Board and the Information System Authority indicates that this threat has become real.
The security threat uncovered by Czech researchers is not limited to Estonian ID cards alone. Presumably, all chipsets produced by Infineon during that time carry the same flaw. Therefore computer systems around the world that use Infineon chipsets are also at risk of infiltration. The vulnerability illuminated the grave security challenges that can come with the digitization of national ID cards and systems.
Social media discussions about this issue included Twitter comments by Toomas Hendrik Ilves, the former President of the Republic of Estonia (2006-2016) who suggested that the “real story” is about Gemalto, the manufacturer of the cards, which appears to have learned about the vulnerability in February, but had not shared this information with customers. Since 2001 Estonian electronic ID cards have been manufactured by Trub AG and its successor Gemalto AG, Swiss companies that use Infineon technologies.
Former President Ilves claimed the Dutch firm “informed commercial users but not the public sector (paying) clients,” urging journalists to look more in depth into the issue.
Estonian ID is not the only one made by Gemalto. However, no other govt made any noise. Probably because the cards are issued but never used.
— Giulio (@dullboy) November 8, 2017
Or perhaps the story is a tech-empathetic gov't that responded quickly and measuredly to a crypto security vulnerability. That is news!
— Andres Jaan Tack (@ajtack) November 8, 2017
Estonia's move to replace the cards’ certificates also attracted attention from information society enthusiasts across the region of Eastern and Central Europe. In a Facebook discussion, a Serbian IT expert living in Estonia explained the end user perspective through comments:
Obavestili su nas pre nekoliko meseci (dok je rizik bio samo teoretski), a pre par nedelja su pustili update sertifikata kroz zvaničnu app (ne mora da se menja ID). Trenutno ume da štuca autorizacija, ali imamo i rezervni način autorizovanja (preko mobilne app) tako da nismo blokirani.
We were notified several months ago (while the risk was only theoretic), and a few weeks ago they released updates of the certificates through an official app (so one doesn't have to change the ID). At the moment the authorization process sometimes has some hiccups, but there's a backup authorisation method via a mobile phone app, so we are not blocked at all.
This security problem is quite different for many we hear on a daily basis.
There may be a vendor behind the faulty product, but fixing the problem on his side does little for users of the product for two main reasons. The vulnerable products already with customers:
1. cannot be fixed in many use-cases where they are part of complex security systems. Estonia is an example where fixing the product means taking it to a governmental office for an update. (It is possible to compare related costs to an RSA’s SecurID case back in 2011.)
2. if a company or a governmental department integrated vulnerable products into their security systems, they need time and information to mitigate the risk. In this case, they have been given little of either, compared to a small number of “large customers” like Microsoft, Google, HP, ….
There is a larger discussion going on about the highlights and downsides of open-source v commercial products, open-source bug hunting v formal certifications. In terms of informing users, this instance fell somewhat short of expectations.