Language switcher

You are here

Estonia resolves its ID-card crisis

Around 330 000 security-risk affected Estonian ID-cards have been updated since the suspension of the 760 000 ID-card certificates a month ago.

The security vulnerability discovered in August affected around 800 000 Estonian ID-cards which belong to more than a half of Estonia’s 1.3 million population.

“In order to bypass the security risk we developed a software update in cooperation with SK ID Solutions and Estonian IT-companies,” said Margus Arm, head of the eID field at RIA. “This update and the ID-card renewal software enabled us to bypass the security risk without replacing all the security-risk affected cards. With the renewal software the card holders are able to renew their ID-cards either remotely from their own personal computer or at one of the police service points.” The software update was released on 25 October and active updating process started on 31 October.

“We started the updating process on 31st October and immediately experienced several technical problems,” said Margit Ratnik, the head of Identity and Status Bureau of the Police and Border Guard Board (PBGB). “We managed to overcome these issues and only a month later nearly half of the security-risk affected ID-cards have been updated and people can continue using the digital services with their ID-card. Estonians are used to our digital services and the ID-card is the cornerstone of our digital society.”

The security risk was discovered by an international team of researchers who informed the Information System Authority (RIA) on 30 August. The risk affected the chips used in ID-cards, residence permits, and digital IDs issued in Estonia as of October 2014. RIA notified the Police and Border Guard Board (PBGB) which is the authority responsible for issuing identity documents.

“If someone knew the public key of the certificate and had a powerful and expensive computing power to calculate the secret key then they could have theoretically unlocked the card,” explained Margus Arm.

The security risk affected millions of chips around the world because the chip is being produced by a multi-national company Infineon. Thus the security vulnerability affected other international companies such as Microsoft and Google, as well as other states such as Austria, Spain and Slovakia.

The risk of the ID-cards being cracked increased in time. Therefore PBGB decided to suspend the certificates of the affected ID-cards from 3 November. Owners of the security risk-affected ID-cards needed to update their certificates to continue using e-services.

“After suspending the certificates we extended the opening hours of police service points and also opened temporary service points at shopping centers during weekends. As of today, 327 000 users have updated their ID-card certificates which is almost half of all the affected ID-cards,” said Ratnik.

The certificates of the affected ID-cards that have not been updated will be permanently revoked on 1 April 2018. Updating process will continue until 31 March 2018.

In addition to ID-card, people can use mobile-ID to use Estonian digital services. The number of mobile-ID users has increased by 26 000, reaching 160 000.

Estonian authorities offer around 1500 state services online – only marriages, divorces and real-estate transactions are not available online. Private sector offers around 5000 digital services from online banking to telecom services.

“Most likely this will not be the last security risk concerning the ID-card or e-state because technology is constantly developing,” said Margit Ratnik. “Experience of cooperation between the state, the service providers and ID-card users show that it is possible to solve complex problems very swiftly.”

More news on the same subject


Applying for Mobile-ID becomes easier and faster

29.06.2022 - From 2nd of July, applying for Mobile-ID becomes significantly easier and faster because it will no longer be necessary to activate Mobile-ID on the police website and everything can be accomplished with mobile operators. Even after 2nd of July 2022, Mobile-ID continues to be a state-guaranteed identity document. Currently issued Mobile-IDs will remain valid until they are due to expire.


Make sure the Web eID extension is turned on in your browser!

18.05.2022 – Cannot sign with an ID-card in the e-service? Make sure the Web eID extension is turned on in your browser!