Ex-Estonian president: Other countries staying silent over digital ID flaws

Former Estonian president Toomas Ilves believes millions of citizens in other countries are affected by the same security flaw that forced Estonia to recall 760,000 digital IDs earlier this month.

He told IT Pro that the compromised chips in Estonians' digital ID cards are the same used in "millions and millions" of credit cards, bank cards and digital ID cards too, as reports emerge that Spain also suspended its identity cards this week.

Ilves said the only difference is that Estonia happens to be transparent, while "others [countries and organisations] remain silent about the very same flaw".

Spain decided to suspend the country's digital IDs last weekend due to the same encryption vulnerabilities that Estonia recalled its digital certificates for, according to native media reports.

The police had to deactivate the digital certificates of any Spanish electronic IDs (called DNIe) produced since April 2015, prompted by Czech researchers' discovery of the vulnerability, which was confirmed by IT Pro with the Spanish police. Spanish website El Correo predicts that over 17 million DNIe could be affected.

The flaw in Estonia's cards meant that hackers could access the public and private keys that are both required to digitally authenticate a person's identity.

Czech researchers informed the Estonian government of the problem in late August, but Ilves claims Infineon, the chip manufacturer, discovered the flaw in February and that neither Infineon nor Gemalto, the card manufacturer, told Estonia about it.

On its website, Gemalto says it has 40 digital identity schemes in place around the world. A spokeswoman for the firm told IT Pro: "In the vast majority of cases, the crypto libraries developed by the chip manufacturer [Infineon] are not included in our products. It is standard practice that Gemalto products use our in-house cryptographic libraries, developed by our internal R&D teams and cryptography experts. We can confirm that products containing Gemalto's crypto libraries are immune to the attack.

"We can confirm that none of our mobile, IoT or payment products and solutions are impacted in any way. For national eID cards, one customer only is using the Infineon crypto library. A solution to prevent any potential issues has been set up and implemented, this consists in a remote update of the eID cards. Gemalto has worked to support the Estonian government to provide a remote card update which suppresses completely this risk."

IT Pro has contacted Infineon for comment.

Estonia's former president doesn't believe the security issue will put Estonians off using their digital IDs, however, which are used to access public services online, or digital services more generally.

"The 2007 cyber attacks against our country [which targeted government and national newspaper websites with DDoS attacks amid a disagreement with Russia] did not stop people from using the digital services - as we dealt with the incidents decidedly, appropriately, also open and transparently," Ilves said.

"So, we do not expect any long-term effects for service use. Rather, people will be using them more widely, be more open to updates as they need to take place and have more alternative ID tokens to operate on."

Ilves said the Estonian government will use the "opportunity to carry out further robust development of e-services".

"We hope that overcoming the ID card security vulnerability will strengthen the reputation of Estonia as a successful digital society, much as the 2007 cyber attacks, the first ever directed at an entire country, spawned a cyber defence capability that continues to win general international acclaim," he added.

07/11/2017: Estonian government suspends 760,000 digital IDs amid security fears

The Estonian government was forced to block the certificates of 760,000 ID cards last Friday, due to security concerns the country has blamed on the chips inside the cards.

The Baltic country's population of 1.3 million relies on digitised services covering everything from healthcare to paying taxes, and require digital identity cards to access these services.

However, Estonia's Police and Border guard last week suspended 760,000 ID cards - around half the population - that were affected by a vulnerability Estonia's government blamed on the cards' chip manufacturer.

The card chips provide a public encryption key and a private encryption key, both of which are required to prove someone's identity online. But the vulnerability reportedly means hackers can access the private key through the public key, effectively allowing them to steal people's identities.

Prime minister Jri Ratas said: "The functioning of an e-state is based on trust and the state cannot afford identity theft happening to the owner of an Estonian ID card. As far as we currently know, there has been no instances of e-identity theft, but the threat assessment of the Police and Border Guard Board and the Information System Authority indicates that this threat has become real. By blocking the certificates of the ID cards at risk, the state is ensuring the safety of the ID card."

Any cards issued between 16 October 2014 and October 2017 are affected, but the identity cards are still valid as physical travel and ID documents, and to buy prescriptions at a pharmacy. However, people can't use them electronically.

The government allowed people who need to use their ID card for work to update their certificates between the 3 and 5 November. Around 35,000 people, ranging from doctors to government officials, were able to change their certificate first as a priority.

Adding that the flaw affected cards and computer systems around the world that use the chips from the same producer, the Estonian government said it has brought the flaw to the attention of international cybercrime network, which meant they had to take action.

"Our first priority is the protection of people's health data, which is why blocking the certificates is the only conceivable option. Over the past two months, a lot of work has been done to ensure the functioning of health and social services even in the case of the closure of the ID certificates. However, some disruptions may occur in hospitals in the coming weeks, which is why we ask for understanding from patients - this step will protect your data," said Jevgeni Ossinovski, Estonian minister for health and labour.

Image source: Bigstock

Zach Marzouk

Zach Marzouk is a former ITPro, CloudPro, and ChannelPro staff writer, covering topics like security, privacy, worker rights, and startups, primarily in the Asia Pacific and the US regions. Zach joined ITPro in 2017 where he was introduced to the world of B2B technology as a junior staff writer, before he returned to Argentina in 2018, working in communications and as a copywriter. In 2021, he made his way back to ITPro as a staff writer during the pandemic, before joining the world of freelance in 2022.