An international team of researchers has informed the Estonian authorities of a vulnerability potentially affecting digital use of Estonian ID cards issued since October 2014; all the cards issued to e-residents are also affected.
On 30 August, an international team of researchers informed the Estonian Information System Authority (RIA) of a vulnerability potentially affecting the digital use of Estonian ID cards. The possible vulnerability affects a total of almost 750,000 ID-cards issued starting from October 2014, including cards issued to e-residents. The ID-cards issued before 16 October 2014 use a different chip and are not affected. Mobile-IDs are also not impacted.
Estonian authorities confirmed the findings on 5 September. Taimar Peterkop, the director of the RIA, said in a statement that while Estonian experts continue to verify the claims of the researchers, they agree with the external assessment and there is indeed possible security vulnerability. “We have developed the primary solutions to mitigate the risk, and will do our utmost to ensure that the security of the ID-card,” Peterkop said.
Prime minister: Estonian e-state will not be affected
According to Peterkop, the current data shows this risk to be theoretical and there is no evidence of anyone’s digital identity being misused. “All ID-card operations are still valid and we will take appropriate actions to secure the functioning of our national digital-ID infrastructure. For example, we have restricted the access to Estonian ID-card public key database to prevent illegal use.”
“The Estonian digital society relies on innovative technologies. Those new technologies provide good value and services to the public, but may also impose risks. We focus on detecting and mitigating those. This particular case is a good example of how scientific research can pinpoint issues to be solved,” Peterkop added.
In the light of current events, some Estonian politicians called to postpone the upcoming local elections, due to take place on 15 October.* In Estonia, approximately 30.5% of the voters use digital identity to vote online.**
But the Estonian prime minister, Jüri Ratas, said at a press conference on 5 September that “this incident will not affect the course of the Estonian e-state”. Ratas also recommended to use Mobile-IDs where possible. The prime minister said that the State Electoral Office will decide whether it will allow the usage of ID cards for online voting at the upcoming local elections.
The Estonian Police and Border Guard estimates it will take approximately two months to fix the issue with faulty cards. The authority will involve as many Estonian experts as possible in the process.
Cover: An Estonian e-residency card in use (the image is illustrative.) * The original version of this article said that the local elections are due to take place on 16 October. ** The original version of this article said that approximately 35% of the voters vote online. In the last parliament election, 30.5% of the voters voted online.