Estonian authorities were forced to close some ID-cards already in May and June after a University of Tartu research fellow came across a security vulnerability so severe that it allowed him to crack one of the cards and use it to fake a digital signature, a correspondence at Postimees’ disposal suggests.
Issue and security of digital IDs is the responsibility of the State Information System’s Authority (RIA) and the Police and Border Guard Board (PPA) in Estonia. So far, the two agencies have only mentioned the incident in passing. A piece of a correspondence from an unknown sender to an unknown recipient in Postimees’ possession made it possible to delve somewhat deeper into the discovery.
RIA does not deny what the letter suggests happened. Yes, a research fellow at the University of Tartu discovered a security fault with 15 ID-cards. Yes, it was possible to exploit the vulnerability to fake digital signatures. Yes, the PPA closed the cards in summer. All of those “yeses” came as news to the national electoral committee that only recently had to decide whether to cancel Estonia’s e-voting because of another vulnerability discovered by Czech scientists.
The discovery was made and proved by doctoral student and lecturer at the University of Tartu Arnis Paršovs in spring. He has thoroughly acquainted himself with the state’s IT system over the years, and both RIA and the PPA pursue cooperation with Paršovs.
Somehow, Paršovs had managed to access an unknown number of public keys of ID-card certificates. RIA Press Representative Helen Uldrich said it was not the entire database. Paršovs has not disclosed how many of the more than one million keys he tested.
It is probable the research fellow came up with an algorithm that allowed him to find 15 faulty cards from among those one million plus digital documents.
Between December 30, 2014 and June 20, 2016, Paršovs discovered 15 cards the security of the encryption keys of which was completely subpar.
Digital signature faked
The security of the public key of one ID-card, that belonged to a woman born in 1979, was so weak (1 bit instead of the usual 2,000) that its certificate made it possible to hack the user’s digital signature and use it. The card was issued in February of 2015.
RIA’s official position is that Paršovs had discovered a rare and minor security problem. However, because Paršovs research paper is not finished yet, RIA is reluctant to comment further.
“Paršovs came across an anomaly in the document generation process that caused 15 cards to be generated subpar security keys when analyzing the ID-card public keys’ database. The scientist used one faulty card to show the generation error could be used to copy digital signatures in a research paper he will publish next spring,” Uldrich said.
She confirmed the faulty card had never been used electronically. Next, RIA checked the keys of all existing ID-cards but failed to find any more anomalies.
“We informed card manufacturer Gemalto and our certification service provider of the anomaly and took measures to make sure no other such cards could be made,” Uldrich said.
RIA maintains that the vulnerability was not a systematic error but concerned a few faulty cards. The PPA closed the faulty cards in early June and issued people new cards under warranty.
“Individual faulty cards have been manufactured before and have always been closed and replaced under warranty in case of problems,” said Uldrich. She added that scientists have not managed to break a single non-faulty Estonian ID-card.
Authorities claim that the vulnerability discovered in May had nothing to do with the Infineon chip security risk discovered by Czech scientists. RIA did not receive the first tips concerning the latter until June.
Nevertheless, the Tartu scientist’s discovery was not communicated in detail to other agencies, including the electoral committee. The latter was forced to decide as recently as late September whether to allow e-voting after the extensive vulnerability discovered by the Czechs. The committee was not aware of the Tartu discovery at the time.
“The electoral committee proceeded based on information that the state recognized the ID-card as a valid national document and no card had been hacked. The committee did not have knowledge of the 15 cards you mentioned,” the electoral service’s press representative Kirsti Kirsberg said.
Prime Minister Jüri Ratas, Director of RIA Taimar Peterkop, and Director General of the PPA Elmar Vaher have all been saying since September that no one has managed to hack Estonia’s digital signature. Now, work done by Paršovs suggests otherwise.
Soon after the Tartu scientist’s discovery, RIA received information from colleagues in Austria according to which the country had to shut down all ID-cards issued before June 9 because of a security vulnerability.
“Austria voided all certificates of a qualified trust service provider issued before June 9, 2017 and informed the public and all concerned parties,” a letter sent to Estonia reads.
RIA looked at the tip but initially decided it does not concern the Estonian ID-card. Even terms like “asymmetric crypto library”, “Card OS” and “RSA algorithm” didn’t send alarm bells ringing.
The agency later admitted the incident in Austria was caused by the same problem Czech scientists notified Estonian authorities of in the final days of August.
The Estonian ID-card is manufactured by Gemalto. Two weeks ago, its representative Andres Lehmann claimed in social media that he had notified Estonia of the chip vulnerability in June. Agencies have refuted Lehmann’s claims and said the information was very vague – they learned of the vulnerability from Czech researchers in late August after which they started working feverishly on a solution.
Estonia decided to shut down 760,000 ID-cards with faulty chips in early November, before most users had had the chance to update their card software. Online updates were pushed out slowly as state information systems were unable to interoperate quickly enough. The decision to cut ID-cards off from e-services earlier than planned was based on a proposal by RIA and PPA.
Software to address the vulnerability was paid for by Estonia, not manufacturer Gemalto. Information available to Postimees suggests the state has filed a damage claim of nearly €20 million against the company.