An international group of cryptographers has flagged a serious security vulnerability in the chip embedded in Estonian ID cards, the country’s Information System Authority has announced.
“Estonian experts assess there to be a possible security vulnerability and we will continue to verify the claims of the researchers,” said Taimar Peterkop, Director-General of the agency. “We have developed the primary solutions to mitigate the risk, and will do our utmost to ensure that the security of the ID-card.”
The vulnerability likely affects almost 750,000 ID cards issued starting from October 2014 (including cards issued to e-residents). ID cards issued before October 16, 2014, use a different chip and are not vulnerable.
“Theoretically, the reported vulnerability could facilitate the use the digital identity for personal identification and digital signing without having the physical card and relevant PIN codes. However, knowing the public key of the certificate is not enough to unlock the card – powerful and expensive computing power to calculate the secret key and special custom-made software for signing are also needed. The ID card software is not suitable because it requires an ID card to be placed in the card reader,” the agency explained.
“The reported vulnerability is significant due to the increase in computing power in recent years. A few years ago, exploiting such a vulnerability would have been significantly more expensive and thus more unlikely than it was today.”
Exploitation is still extremely difficult and not cheap, and the associated risk is still theoretical, the agency noted. “We do not know any cases where an attempt has succeeded,” they added.
The scientists’ research will be published in autumn at an international conference. In the meantime, issuers of cards with the vulnerable chip have been notified of the problem so that they could find a way to minimize the risk before that date.
According to the agency, the same chip is used in the identity card of several other countries, as well as bankcards and access documents.
“Many services (such as banks) additionally require a username or password to log in to the service – these must also be known to exploit the vulnerability,” the agency pointed out.
The Information System Authority doesn’t mean to revoke the cards yet, as the risk is still non-existent, but they are working on possible solutions and have implemented risk minimization measures such as closing the ID card public key database.
The vulnerable ID cards can still be used as before: as an identity document, a travel document, and for digital signing.
The agency has also added that the Estonian National Election Committee has yet to decide whether Internet voting made possible through the use of the card will be allowed in the upcoming October 2017 elections, but pointed out that “large-scale vote fraud is not conceivable due to the considerable cost and computing power necessary of generating a private key.”