Communication between Estonian ID-card manufacturer Gemalto and the state will no longer be coordinated by Andreas Lehmann from December. Lehmann attracted a lot of attention last week when he claimed he had informed the Estonian authorities of the ID-card security vulnerability much earlier.
Press representative of the Police and Border Guard Board (PPA) told ERR that Gemalto has notified the agency in writing that it will have a new contact person from December 2.
Gemalto’s recent representative, executive manager of Estonian subsidiary TRÜB Baltics AB Andreas Lehmann took to the media on November 22, claiming he informed Estonian state agencies of the ID-card security risk on June 15, much earlier than the latter have claimed.
Authorities resolutely refuted Lehmann’s claims and said they received the information from Czech researchers late on August 30 that caused them to contact Gemalto.
PPA Director Elmar Vaher said in an interview to the Geenius news portal that Lehmann did not lie to the public, and that technical matters pertaining to the ID-card were discussed in June, but added they were not connected to the vulnerability in question.
Asked whether these technical matters overlapped with the discovery by the Czech researchers, Vaher said: “No, definitely not.”
However, the director answered “absolutely” when asked whether a potential security risk was discussed in June.
Vaher could not say whether the June meeting took place in person or was conducted over Skype, nor whether it was recorded.
Information available to Postimees suggests Gemalto learned of the vulnerability from chip manufacturer Infineon on May 24.
Learning of risks in time is important as it gives participants time to address the problem before the likelihood of the risk manifesting reaches a critical level and problematic cards have to be closed.
The State Information System’s Authority (RIA) said it only received vague hints from Gemalto’s representative in June, while meetings were not recorded, explanations by RIA’s eID department chief Margus Arm and the PPA suggest.
RIA Director General Taimar Peterkop said last week that RIA received no information from Lehmann concerning ID-card security risks – neither verbally or in writing.
Estonia decided to close 760,000 problematic ID-cards in early November before most of them could be updated. Online updates took time as interaction between information systems progressed slowly. ID-card certificates were closed following a proposal by the PPA.
Software to address potential vulnerabilities was paid for by the Estonian government, not card manufacture Gemalto. Postimees’ information suggests Estonia has filed a €20 million claim against the company.
Representatives of the government have consistently referred to the incident as a “realistic theoretical security vulnerability” – something that is impossible to universally understand.