Language switcher

You are here

In 2011, researchers identified a security vulnerability of the ID-card used in Estonia

The security vulnerability, which affected almost 120,000 ID-cards, meant that as a result of a certain attack vector, the card could be used without knowing the PIN1 or PIN2 (e.g. to give the digital signature). In order to conduct an attack, the attacker had to be in possession of the user’s ID-card and the ID-card had to be valid (losing a card is usually reported and the respective certificates are suspended or cancelled). There were no reports of abuse of such ID-cards and there still are none.

The security vulnerability was eliminated by updating the certificates and the last card of the generation expired at the end of 2016. As of December 2018, Estonia entered into a contract with a new ID-card manufacturer.

The 2011 security vulnerability was different from the 2017 ID-card security vulnerability in the fact that the chip application of the 2011 card included several deficiencies which could be used by gaining possession of an ID-card. If the card holder was prudent, however, and did not lose their card, there was no risk. The security vulnerability of 2017, on the other hand, could be exploited without physically having the card.

A new card application was developed to fix the errors of 2011 and people were invited to update the software on their cards. The electronic use of the last cards that had not been updated was suspended in summer 2013.

According to Margus Arm, Director General of the Information System Authority, the twenty-year history of the ID-card has certainly been successful, ‘We are a unique country, with our functioning dependent on digital solutions and all our services being built on means of electronic identification: ID-cards, Mobile-ID, Smart-ID. The technology, including the solutions which were secure so far, have, however significantly changed or developed over those twenty years. We have identified and eliminated vulnerabilities and dealt with the consequences of those vulnerabilities in cooperation with researchers. There is no one to learn from, as we are the so-called pioneers in this field – thus, we are learning from our own experiences.’

According to him, the entire eID field is better and more uniformly regulated all over Europe today, ten years later: ‘The judicial area has changed and various different security standards have been harmonised – qualified companies are conducting security tests and audits. A lot in this world comes down to trust and we have no reason to question the reliability of global large-scale producers today. We are also a lot more prepared as a society to discuss various weaknesses and incidents today and to do it more openly, as this is part of the trust for the means of electronic identification which we use on a daily basis, as well as the trust for the government’.

‘Today, there is no reason to question the security of the ID-card or other means of electronic identification. Security is, however, a process which changes in time and demands constant attention. Technology is always developing – vulnerabilities will be found and fixed in the future as well. Constant updating and development is, however, the only way for ensuring the sustainability of e-governance. We are looking into the past and highlighting the mistakes detected, but we are even more concentrated on the future to learn from those mistakes,’ says Arm.

Lisa 1. Isikutunnistuste ja elamisloakaartide taotluste prognoos 2012. a (247.8 KB, PDF) (in Estonian)
Analysis of the ID-card software, 02.12.2011, Toni Koivunen, Sauli Pahlman (1.37 MB, PDF)
Lisa 3. Eesti ID-kaardi v3.0 koodi analüüs Joe-Kay Tsay raporteeritud PKCS#1 ründe valguses, 12.12.2011, Martin Paljak (1.67 MB, PDF) (in Estonian)
Lisa 4. Tabel ID-kaardi tarkvara varemteadaolevate vigade kohta, 12.12.2011, Martin Paljak (3.19 MB, PDF) (in Estonian)
Analysis of the ID-card software, 14.12.2011, Toni Koivunen, Sauli Pahlman (2.02 MB, PDF)

More news on the same subject


RIA updated the ID-software

20.07.2022 - The Information System Authority (RIA) launched the updated version of the ID-software (2022.6) on 20 July. The most significant update is the end of support for Windows 32-bit operating systems.


Applying for Mobile-ID becomes easier and faster

29.06.2022 - From 2nd of July, applying for Mobile-ID becomes significantly easier and faster because it will no longer be necessary to activate Mobile-ID on the police website and everything can be accomplished with mobile operators. Even after 2nd of July 2022, Mobile-ID continues to be a state-guaranteed identity document. Currently issued Mobile-IDs will remain valid until they are due to expire.