On 3 November 2017 at midnight, Estonia will block the certificates of 760,000 ID cards.
The decision is the result of the discovery of a security vulnerability in the Infineon-developed RSA library, which could be exploited by attackers to discover the RSA private key corresponding to an RSA public key generated by this library.
Estonian electronic ID cards have been manufactured by the Swiss company Trub AG and its successor Gemalto AG since 2001. The flaw is present in the cryptographic chips included in Estonian ID cards issued after 16 October 2014.
“The functioning of an e-state is based on trust and the state cannot afford identity theft happening to the owner of an Estonian ID card. As far as we currently know, there has been no instances of e-identity theft, but the threat assessment of the Police and Border Guard Board and the Information System Authority indicates that this threat has become real,” Prime Minister Jüri Ratas said. “By blocking the certificates of the ID cards at risk, the state is ensuring the safety of the ID card.”
The danger of the security threat becoming real is increased by the fact that it was not a flaw of the Estonian ID card alone, but also included cards and computer systems around the world that use the chips by the same producer. This brought the safety flaw to the attention of international cybercrime networks which have significant means to take advantage of the situation.
“Our first priority is the protection of people’s health data, which is why blocking the certificates is the only conceivable option. Over the past two months, a lot of work has been done to ensure the functioning of health and social services even in the case of the closure of the ID certificates. However, some disruptions may occur in hospitals in the coming weeks, which is why we ask for understanding from patients – this step will protect your data,” said Jevgeni Ossinovski, Estonian Minister for Health and Labour.
In order to guarantee the functioning of the eGovernment, only those people who must use their ID card actively in their work can update the certificate from 3 to 5 November. There are about 35 000 of these people, among them doctors, government officials working in the field of justice, as well as employees of the civil status office, who will be served first in the office of the Police and Border Guard Board.
ID cards with blocked certificates can be renewed at the service points of the Police and Border Guard Board, which will be open on the weekend for that purpose, and it is still possible to renew the cards online.
Even though the certificates will be blocked, all ID cards will continue to function as travel and identification documents, and can still be used to buy prescription medicine at a pharmacy by using a digital prescription or as a loyalty card.
The withdrawal/blocking of the certificates does not concern people who have already updated their ID-card certificates or have received a new ID-card without the security flaw.
Instructions on how to go about the certificate updating process are provided here.