Language switcher

You are here

In 2011, researchers identified a security vulnerability of the ID-card used in Estonia

The security vulnerability, which affected almost 120,000 ID-cards, meant that as a result of a certain attack vector, the card could be used without knowing the PIN1 or PIN2 (e.g. to give the digital signature). In order to conduct an attack, the attacker had to be in possession of the user’s ID-card and the ID-card had to be valid (losing a card is usually reported and the respective certificates are suspended or cancelled). There were no reports of abuse of such ID-cards and there still are none.

The security vulnerability was eliminated by updating the certificates and the last card of the generation expired at the end of 2016. As of December 2018, Estonia entered into a contract with a new ID-card manufacturer.

The 2011 security vulnerability was different from the 2017 ID-card security vulnerability in the fact that the chip application of the 2011 card included several deficiencies which could be used by gaining possession of an ID-card. If the card holder was prudent, however, and did not lose their card, there was no risk. The security vulnerability of 2017, on the other hand, could be exploited without physically having the card.

A new card application was developed to fix the errors of 2011 and people were invited to update the software on their cards. The electronic use of the last cards that had not been updated was suspended in summer 2013.

According to Margus Arm, Director General of the Information System Authority, the twenty-year history of the ID-card has certainly been successful, ‘We are a unique country, with our functioning dependent on digital solutions and all our services being built on means of electronic identification: ID-cards, Mobile-ID, Smart-ID. The technology, including the solutions which were secure so far, have, however significantly changed or developed over those twenty years. We have identified and eliminated vulnerabilities and dealt with the consequences of those vulnerabilities in cooperation with researchers. There is no one to learn from, as we are the so-called pioneers in this field – thus, we are learning from our own experiences.’

According to him, the entire eID field is better and more uniformly regulated all over Europe today, ten years later: ‘The judicial area has changed and various different security standards have been harmonised – qualified companies are conducting security tests and audits. A lot in this world comes down to trust and we have no reason to question the reliability of global large-scale producers today. We are also a lot more prepared as a society to discuss various weaknesses and incidents today and to do it more openly, as this is part of the trust for the means of electronic identification which we use on a daily basis, as well as the trust for the government’.

‘Today, there is no reason to question the security of the ID-card or other means of electronic identification. Security is, however, a process which changes in time and demands constant attention. Technology is always developing – vulnerabilities will be found and fixed in the future as well. Constant updating and development is, however, the only way for ensuring the sustainability of e-governance. We are looking into the past and highlighting the mistakes detected, but we are even more concentrated on the future to learn from those mistakes,’ says Arm.

Lisa 1. Isikutunnistuste ja elamisloakaartide taotluste prognoos 2012. a (247.8 KB, PDF) (in Estonian)
Analysis of the ID-card software, 02.12.2011, Toni Koivunen, Sauli Pahlman (1.37 MB, PDF)
Lisa 3. Eesti ID-kaardi v3.0 koodi analüüs Joe-Kay Tsay raporteeritud PKCS#1 ründe valguses, 12.12.2011, Martin Paljak (1.67 MB, PDF) (in Estonian)
Lisa 4. Tabel ID-kaardi tarkvara varemteadaolevate vigade kohta, 12.12.2011, Martin Paljak (3.19 MB, PDF) (in Estonian)
Analysis of the ID-card software, 14.12.2011, Toni Koivunen, Sauli Pahlman (2.02 MB, PDF)

More news on the same subject

03.01.2022

RIA’s phone numbers for customer support and for reporting failures in the state network will change on 3 January

As of today, users of the services of the Information System Authority (RIA) can call 666 8888 for support, while 663 0299 may be dialled around the clock to report failures in the state network.

21.12.2021

Joonas Heiter will be the Director of the State Information System

21.12.2021 – As of 1 January, the State Information System Branch of the Information System Authority (RIA) will be led by Joonas Heiter, who has been managing the State Data Exchange Department of the same branch since 2018.