She confirmed the faulty card had never been used electronically. Next, RIA checked the keys of all existing ID-cards but failed to find any more anomalies.
“We informed card manufacturer Gemalto and our certification service provider of the anomaly and took measures to make sure no other such cards could be made,” Uldrich said.
RIA maintains that the vulnerability was not a systematic error but concerned a few faulty cards. The PPA closed the faulty cards in early June and issued people new cards under warranty.
“Individual faulty cards have been manufactured before and have always been closed and replaced under warranty in case of problems,” said Uldrich. She added that scientists have not managed to break a single non-faulty Estonian ID-card.
Authorities claim that the vulnerability discovered in May had nothing to do with the Infineon chip security risk discovered by Czech scientists. RIA did not receive the first tips concerning the latter until June.
Nevertheless, the Tartu scientist’s discovery was not communicated in detail to other agencies, including the electoral committee. The latter was forced to decide as recently as late September whether to allow e-voting after the extensive vulnerability discovered by the Czechs. The committee was not aware of the Tartu discovery at the time.
“The electoral committee proceeded based on information that the state recognized the ID-card as a valid national document and no card had been hacked. The committee did not have knowledge of the 15 cards you mentioned,” the electoral service’s press representative Kirsti Kirsberg said.
Prime Minister Jüri Ratas, Director of RIA Taimar Peterkop, and Director General of the PPA Elmar Vaher have all been saying since September that no one has managed to hack Estonia’s digital signature. Now, work done by Paršovs suggests otherwise.
Soon after the Tartu scientist’s discovery, RIA received information from colleagues in Austria according to which the country had to shut down all ID-cards issued before June 9 because of a security vulnerability.
“Austria voided all certificates of a qualified trust service provider issued before June 9, 2017 and informed the public and all concerned parties,” a letter sent to Estonia reads.
RIA looked at the tip but initially decided it does not concern the Estonian ID-card. Even terms like “asymmetric crypto library”, “Card OS” and “RSA algorithm” didn’t send alarm bells ringing.
The agency later admitted the incident in Austria was caused by the same problem Czech scientists notified Estonian authorities of in the final days of August.
The Estonian ID-card is manufactured by Gemalto. Two weeks ago, its representative Andres Lehmann claimed in social media that he had notified Estonia of the chip vulnerability in June. Agencies have refuted Lehmann’s claims and said the information was very vague – they learned of the vulnerability from Czech researchers in late August after which they started working feverishly on a solution.
Estonia decided to shut down 760,000 ID-cards with faulty chips in early November, before most users had had the chance to update their card software. Online updates were pushed out slowly as state information systems were unable to interoperate quickly enough. The decision to cut ID-cards off from e-services earlier than planned was based on a proposal by RIA and PPA.
Software to address the vulnerability was paid for by Estonia, not manufacturer Gemalto. Information available to Postimees suggests the state has filed a damage claim of nearly €20 million against the company.