An international team of researchers has informed the Estonian authorities of a vulnerability potentially affecting digital use of Estonian ID cards issued since October 2014; all the cards issued to e-residents are also affected.
On 30 August, an international team of researchers informed the Estonian Information System Authority (RIA) of a vulnerability potentially affecting the digital use of Estonian ID cards. The possible vulnerability affects a total of almost 750,000 ID-cards issued starting from October 2014, including cards issued to e-residents. The ID-cards issued before 16 October 2014 use a different chip and are not affected. Mobile-IDs are also not impacted.
Estonian authorities confirmed the findings on 5 September. Taimar Peterkop, the director of the RIA, said in a statement that while Estonian experts continue to verify the claims of the researchers, they agree with the external assessment and there is indeed possible security vulnerability. “We have developed the primary solutions to mitigate the risk, and will do our utmost to ensure that the security of the ID-card,” Peterkop said.
Prime minister: Estonian e-state will not be affected
According to Peterkop, the current data shows this risk to be theoretical and there is no evidence of anyone’s digital identity being misused. “All ID-card operations are still valid and we will take appropriate actions to secure the functioning of our national digital-ID infrastructure. For example, we have restricted the access to Estonian ID-card public key database to prevent illegal use.”
“The Estonian digital society relies on innovative technologies. Those new technologies provide good value and services to the public, but may also impose risks. We focus on detecting and mitigating those. This particular case is a good example of how scientific research can pinpoint issues to be solved,” Peterkop added.
In the light of current events, some Estonian politicians called to postpone the upcoming local elections, due to take place on 15 October.* In Estonia, approximately 30.5% of the voters use digital identity to vote online.**
But the Estonian prime minister, Jüri Ratas, said at a press conference on 5 September that “this incident will not affect the course of the Estonian e-state”. Ratas also recommended to use Mobile-IDs where possible. The prime minister said that the State Electoral Office will decide whether it will allow the usage of ID cards for online voting at the upcoming local elections.
The Estonian Police and Border Guard estimates it will take approximately two months to fix the issue with faulty cards. The authority will involve as many Estonian experts as possible in the process.
I
Cover: An Estonian e-residency card in use (the image is illustrative.) * The original version of this article said that the local elections are due to take place on 16 October. ** The original version of this article said that approximately 35% of the voters vote online. In the last parliament election, 30.5% of the voters voted online.
Isn’t this the second time ID cards have had a security problem?
What was the first time? There was a problem where Google Chrome briefly did not work with them because of a standards question, but that was not a security threat.
Per ERR, an Estonian news outlet:
“The scientists were not looking at the Estonian ID-card or even its technology, but rather at one of the chips manufactured by Swiss company Gemalto AG. While the chip in question has several applications, the lion’s share lie at the heart of Estonian ID-cards.”
I personally took the forceful implementation of Biometric ID card in Mauritius up to Privy Council. At Supreme Court level, It was ruled that stocking Biometric Data in a database fails our constitution. we used to have a laminated ID card for our population of about one million adults including those abroad. Yesterday I registered myself in the By election as candidate and the electoral commission accepted. Although nearly everyone is being asked to obtain a Biometric ID. 9 eminent judges ruled that our rights to privacy is a fundamental right. Hence it is immoral and illegal to forcefully obtain personal biometric ID. From day one I keep telling everyone that if your data is compromised through hacking, you may end up being hacked for life even after death. UK does use Biometric ID for its Citizens but Privy Council found no flaws and did not find that our rights to privacy was threatened. Besides, the micro chip embedded at the neck of the photo ID, forms a bulge. Easily noticeable and easily removed or swapped. Security of the BNIC also is questionable. Brandon Mayfield and WPC Shirley McKie were both wrongly convicted as their Biometric Fingerprints were identified. Those without financial muscle definitely end up in prison or executed. Dr Maharajah Madhewoo