Language switcher

You are here

Estonia resolves its ID-card crisis

Around 330 000 security-risk affected Estonian ID-cards have been updated since the suspension of the 760 000 ID-card certificates a month ago.

The security vulnerability discovered in August affected around 800 000 Estonian ID-cards which belong to more than a half of Estonia’s 1.3 million population.

“In order to bypass the security risk we developed a software update in cooperation with SK ID Solutions and Estonian IT-companies,” said Margus Arm, head of the eID field at RIA. “This update and the ID-card renewal software enabled us to bypass the security risk without replacing all the security-risk affected cards. With the renewal software the card holders are able to renew their ID-cards either remotely from their own personal computer or at one of the police service points.” The software update was released on 25 October and active updating process started on 31 October.

“We started the updating process on 31st October and immediately experienced several technical problems,” said Margit Ratnik, the head of Identity and Status Bureau of the Police and Border Guard Board (PBGB). “We managed to overcome these issues and only a month later nearly half of the security-risk affected ID-cards have been updated and people can continue using the digital services with their ID-card. Estonians are used to our digital services and the ID-card is the cornerstone of our digital society.”

The security risk was discovered by an international team of researchers who informed the Information System Authority (RIA) on 30 August. The risk affected the chips used in ID-cards, residence permits, and digital IDs issued in Estonia as of October 2014. RIA notified the Police and Border Guard Board (PBGB) which is the authority responsible for issuing identity documents.

“If someone knew the public key of the certificate and had a powerful and expensive computing power to calculate the secret key then they could have theoretically unlocked the card,” explained Margus Arm.

The security risk affected millions of chips around the world because the chip is being produced by a multi-national company Infineon. Thus the security vulnerability affected other international companies such as Microsoft and Google, as well as other states such as Austria, Spain and Slovakia.

The risk of the ID-cards being cracked increased in time. Therefore PBGB decided to suspend the certificates of the affected ID-cards from 3 November. Owners of the security risk-affected ID-cards needed to update their certificates to continue using e-services.

“After suspending the certificates we extended the opening hours of police service points and also opened temporary service points at shopping centers during weekends. As of today, 327 000 users have updated their ID-card certificates which is almost half of all the affected ID-cards,” said Ratnik.

The certificates of the affected ID-cards that have not been updated will be permanently revoked on 1 April 2018. Updating process will continue until 31 March 2018.

In addition to ID-card, people can use mobile-ID to use Estonian digital services. The number of mobile-ID users has increased by 26 000, reaching 160 000.

Estonian authorities offer around 1500 state services online – only marriages, divorces and real-estate transactions are not available online. Private sector offers around 5000 digital services from online banking to telecom services.

“Most likely this will not be the last security risk concerning the ID-card or e-state because technology is constantly developing,” said Margit Ratnik. “Experience of cooperation between the state, the service providers and ID-card users show that it is possible to solve complex problems very swiftly.”

More news on the same subject


As of 1 March, it will no longer be possible to access certain public e-services via a bank link

10.02.2021 – From 1 March, it will no longer be possible to log in to the state authentication service via a bank link. This means that the user will not be able to access some public e-services, such as the state portal, by using their bank PIN calculator, password, or biometrics. Online services can still be accessed by using an ID-card, Mobile-ID, or Smart-ID.


The Information System Authority (RIA) and its partners fixed a critical bug in the ID-card browser extension

03.02.2021 – At the end of January, RIA updated the ID-card browser extension (plugin) to fix a critical error discovered by researchers at the University of Tartu. The ID-software (ID-Updater) notifies users when software updates are required. If the software does not yet display an automatic update message, you can download the new version here.