In many countries, official ID cards form a physical and symbolic foundation for residents. In pioneering countries such as Estonia, identity cards are even more integral – used in accessing services ranging from online banking to voting.
The problem is that relying on a digital identity can leave citizens vulnerable should that identity be compromised. Over the weekend, 760,000 Estonians were found to be at risk from a major security flaw discovered in the chips of their cards.
Realising that the exploit could allow identities of those affected to be stolen, the Government of Estonia was forced to block most of its residents from using its online services over the course of a weekend while it attempted to research and eliminate the exploit.
According to news sources, ID cards issued between October 2014 and October 25th 2017 have been frozen until their owners apply for updated documents. Updates were processed online, but stories have emerged of servers crashing due to high demand, forcing some concerned individuals to travel to police stations and other official sites.
Only medical professionals and frequent users were able to apply for documents online, at peak demand, with the system expected to open to the wider public as normal service is resumed today.
Peter Ferry, the founder and commercial director of Wallet.Services, the company focusing on the creation of secure blockchain services for government and businesses, told DIGIT: “This is a potential, and as yet unexploited, vulnerability in Infineon-developed software which affects millions of TPM chips on laptops globally, as well as the Estonian national ID smart card.
“The Estonians have reacted quickly and proportionately to block any exploit and remove the vulnerability with an update to stronger elliptic curve cryptography. As the update is rolled out in the coming weeks, the vast majority of Estonian citizens can continue to use their Mobile SmartID for government interaction”
Researchers first reported on the ID security flaws in September, tracing the faulty chips back to the manufacturer. Despite the long-running nature of the issue, the managing director of Estonia’s ID programme affirmed that there are, “still no known incidents of an Estonian digital ID card being misused.” Citizens now have until March 2018 to update their certificates before their ID cards become invalid.
Prime Minister Jüri Ratas said in a statement: “The functioning of an e-state is based on trust and the state cannot afford identity theft happening to the owner of an Estonian ID card.
“As far as we currently know, there has been no instances of e-identity theft, but the threat assessment of the Police and Border Guard Board and the Information System Authority indicates that this threat has become real. By blocking the certificates of the ID cards at risk, the state is ensuring the safety of the ID card.”