Estonia replacing 12,500 unsecure ID-cards for free

Please note that the article is more than five years old and belongs to our archive. We do not update the content of the archives, so it may be necessary to consult newer sources.
Photo: Erik Prozes

The Estonian Police and Border Guard Board is about to cancel from June 1 the security certificates of approximately 12,500 electronic ID-cards in which a security flaw has been discovered, and will replace the cards free of charge.

The cards will be replaced for free provided that more than three months is left until their expiry date.

The cards with the security flaw are ID-cards issued between 2011 and Oct. 16, 2014, and residence permit cards issued between 2011 and Dec. 17, 2014, which were updated between July 2012 and July 2017. The number of such cards issued is 74 000, but only about 12,500 of them are valid at this point.

«We will notify all holders of the ID-cards not compliant with security requirements via the portal and provide information about the replacement of the ID-cards personally,» Kaija Kirch, document expert at the Estonian Police and Border Guard Board, said on Thursday.

An ID-card whose security certificate has become invalid can no longer be used electronically and holders of such cards must either apply for a new ID-card or use their mobile-ID.

The Estonian Police and Border Guard Board has filed a claim against the manufacturer of the ID-card for violation of security requirements. The manufacturer has denied any breach.

«For the Police and Border Guard Board it is important to be confident that the private keys of the holders of ID-cards can be nowhere else than inside the chip of the card. When a contractual partner has violated this requirement, we must declare the cards' certificates invalid,» Kirch said.

According to the Police and Border Guard Board, the manufacturer of the ID-cards did not observe all security requirements and generated the private keys for some ID-cards outside the chip. Generating keys outside the chip gives the party generating the keys the possibility to use the ID-card without physically possessing the card and without knowing the PIN code.

The certificates of the aforementioned cards will be canceled to prevent that risk.

«We do not know of any cases of misuse. All the transactions concluded and the signatures given with such cards to date are legitimate, including e-voting,» said Margus Arm, head of the domain of e-ID at the Estonian Information System Authority.

Cooperation with researchers at the University of Tartu and an analysis by experts of the company AS Cybernetica completed last week led Estonia to the detection of the breach of security requirements. «The detection of the breach clearly demonstrates how important is cooperation with researchers and experts, with whose help we can make the digital world safer,» Arm said.