The government supported a proposal by the Police and Border Guard Board (PPA) and the Estonian Information System’s Authority (RIA) to suspend certificates of ID-cards sporting a security vulnerability at midnight tonight at its cabinet meeting yesterday. This means that more than half of ID-cards in use will not function as electronic identification tools from Saturday.
There are approximately 760,000 ID-cards with the vulnerability currently in use. Only 15,000 people managed to update their certificates remotely yesterday, while 40,000 cards have been updated in total.
Remote updates were closed for most people yesterday evening. Only those who actively use ID-cards in their work, including doctors, legal affairs and vital records officials, can access remote updates between November 3 and 5. They number 35,000 in total and will also be serviced first in PPA service bureaus.
The government’s decision came out of the blue – RIA had said as recently as 3 p.m. that no proposal to suspend certificates had been made.
Prime Minister Jüri Ratas told journalists only a few hours later that the decision to suspend certificates was made after five hours of deliberations involving several agencies – the cabinet meeting with PPA, RIA, the interior ministry’s IT development center SMIT, the Registers and Information Systems Center (RIK), and other agencies lasted for more than five hours.
“The operation of the Estonian e-state is based on trust, and the state cannot allow the identity of Estonian ID-card holders to be stolen. Information we have suggests electronic identity theft has not taken place; however, threat assessments by the PPA and RIA suggest it has become a realistic possibility,” Ratas explained.
The PM apologized to people who have not been able to update their certificates remotely. At the same time, he urged people to remain calm. “There is no cause for panic. People do not have to spend their weekend queueing at service stations. It will be possible to update certificates until March 31, 2018.”
Ratas did not answer the question of how much solving the problem has cost so far.
Director General of RIA Taimar Peterkop said the decision to suspend certificates had to be made as there is a possibility an investment has been made to create relevant malware.
The likelihood of the risk materializing is made greater by the fact the fault does not only concern the Estonian ID-card, but that computer systems and cards all over the world use the same manufacturer’s chips. This has brought the vulnerability to the attention of an international cybercrime network that has considerable means with which to exploit the situation.
“The result of work done by Czech scientists has made it more probable the vulnerability will be taken advantage of. Malware to exploit the vulnerability has been on offer since today (yesterday – ed.). We do not know whether it really works; however, the threat materializing is now a realistic possibility,” the head of RIA explained.
Peterkop said that disruptions in the remote update process are caused by the fact loading a new electronic identity onto the card was developed as a peace-time process so to speak. “We did not foresee a crisis. We were not able to expand the capacity in the time we were given,” he said. “Remote updating works, while the number of people looking to update their cards is much greater than our capacity.”
Peterkop added that the situation is not that bad in Estonia. He gave the example of Slovakia, where all cardholders must go to service bureaus to have their cards updated.
The current situation is not cause for concern for all ID-card holders. People whose document has been issued before October 16, 2014 or who only use the card as a physical identification and travel document do not have to update. The suspension of certificates also does not concern people who have already updated their cards or received a new one.