Estonia's ID card crisis: How e-state's poster child got into and out of trouble

Estonia is built on secure state e-systems, so the world was watching when it hit a huge ID-card problem.
Written by Kalev Aasmae, Contributor

Video: Estonia to open the world's first data embassy in Luxembourg

For the past two and a half months, Estonia has been facing the biggest security crisis since a wave of cyberattacks hit its banks and critical national infrastructure in 2007.

At the heart of the current debacle is the latest version of its national ID card, which has been a mandatory identification document for citizens of Estonia since 2002 and serves as a cornerstone of Estonia's e-state.

The hardware behind the ID cards was found to be vulnerable to attacks, which could theoretically have led to identity thefts of Estonian citizens and also e-residents, something which its government has denied occurring.

Putting a positive spin on recent events, the state's former CIO, Taavi Kotka, argues that the way the country has handled the crisis is actually positive, because he believes it will become a textbook case for others.

"No society depends on technology as much [as Estonia]. The communication and the reactions [will be studied]," he said on national broadcaster ERR's Foorum.

The Estonian ID card, when connected with a smartcard reader and specific software, gives its owner access to web portals and e-services, enables payments, bank transactions, and digital signatures. Card holders can even use it to take part in electronic voting.

The ID cards use 2,048-bit open-source public-key/private-key encryption, holding two separate digital certificates: one for confirming the holder's identity, and the other to allow them to sign documents with a digital signature.

There are two associated private keys on the card, which are each securely protected by a unique user PIN. Users can enter one when asked to verify their identity online and employ the other when they want to digitally sign something.

Entering the second PIN is the equivalent of signing a document in person, and it's considered just as legally binding in Estonia.

In October 2014, a new chip was introduced to the Estonian ID cards, provided by Netherlands chipmaker Gemalto. According to the Estonia's Information System Authority (ISA), this new-generation chip was faster, based on the latest technology and, therefore, considered even more secure.

"The French and German security certificates for the chips confirm their compliance with all security requirements. The same chip is used in the identity card of several other countries, as well as bankcards and access documents," explained the ISA.

In August this year a group of Czech researchers informed ISA of a security risk they had discovered, related to the Gemalto chips. Estonian experts started immediately assessing the risks.

On September 5, Estonia's prime minister, Jüri Ratas, called a special press conference to inform the public of the threat, which it turns out applies to almost 750,000 Gemalto-based ID cards issued in the past three years.

"Theoretically, the reported vulnerability could facilitate the use the digital identity for personal identification and digital signing without having the physical card and relevant PIN codes," admitted ISA, adding that knowing the public key of the certificate is not enough to unlock the card.

Powerful and expensive computing power to calculate the secret key and special custom-made software for signing are also needed.

"The ID card software is not suitable because it requires an ID card to be placed in the card reader," they added in a statement.

As a precaution, Estonia restricted access to Estonian ID-card public-key database to prevent illegal use, because without the public key it's not possible to use this security flaw to attack the cards.

Dozens of IT specialists started immediately working around the clock to solve the issue and create the updates for certificates, which would eliminate the danger, and build a system that could update the certificates as quickly as possible.

In mid-October, when the Czech researchers published a paper with their findings, Estonia was still confident that the risk was minimal.

"The findings published... do not give the Police and Border Guard Board reason to suspend or revoke current certificates, and we are moving forward with the plan to start updating the affected ID-cards in November," said Margit Ratnik, head of the Identity and Status Bureau of the Estonian Police and Border Guard Board then.

See also: Data breaches highlight how Social Security number has to be phased out for blockchain, biometrics 

https://www.zdnet.com/article/data-breaches-highlight-how-social-security-number-has-to-be-phased-out-for-blockchain-biometricsOn October 25, the ISA announced that the solution to update the certificates was ready to use. Estonian ID card owners rushed to update their certificates online, leaving Police and Border Guard offices all over Estonia with long lines of people waiting to get their patches.

But the system couldn't cope with the high level of requests and crashed several times, making the rate of updates slower than the ISA had hoped.

As days went by and the danger of receiving attacks exploiting the security flaws loomed larger, a drastic decision was made by the government.

It endorsed the proposal by the Estonian Police and Border Guard Board and the Information System Authority to block the certificates of ID cards at risk on November 3.

That decision meant that the 760,000 ID cards issued after October 16, 2014 could only be used for identification and travel. Access to e-services such as the health registry, banking or tax systems was restricted until the certificates had been updated.

To guarantee that e-government continued to function, about 35,000 people who have to use their ID card for their work, such as doctors, justice officials, and civil servants, were to be updated first.

The ISA announced on November 6 that the process of remote updating and renewals had finally started to run smoothly.

"Additional time and a calm attitude are still needed for both update options," said Margus Arm, head of e-ID at the ISA.

Between October 25 and November 6, about 120,000 people had updated their ID cards, 92,000 of them remotely.

Although a bigger crisis has been averted and, according to ISA, no instances of e-identity theft have occurred, it is hard to assess the damage to the reputation of Estonia's e-state.

Yet despite the ID card crisis, Estonian citizens' trust in their country's e-state apparently remains strong.

At the beginning of October, a month after the theoretical vulnerability was announced by the government, a new record was set in the municipal elections in Estonia. Of a total of 582,542 votes, 186,034 were cast online.


An Estonian smart ID card.

Image: Wikipedia

Previous and related coverage

Android, iOS secure ID: Estonia says it's taking digital authentication to new levels

Early next year, Estonia rolls out its new Smart-ID digital identity system, which is not dependent on a SIM card and can be used around the world.

Estonia has 1.3 million people: Here's how it plans to get 10 million e-residents by 2025

Just over two years into its plan to offer people who are not Estonian citizens or residents a digital identity, Estonia sees fintech and blockchain services as the way to achieve its ambitious goals.

IT leader's guide to reducing insider security threats [Tech Pro Research]

This ebook offers a look at where the risks lie and what you can do to mitigate them.

Read more about Estonia and technology

Editorial standards