It is likely that the Police and Border Guard Board (PPA) will have to swallow its words and write off a large part of its €20-million claim against ID-card manufacturer Gemalto in the coming weeks.
Cyber-lollygagging cost the state millions
«Hi, P. I met R. today, and he told me you have a very interesting new topic. Could we meet, and are you willing to give me more information? Best wishes, S.» This is part of a high-ranking state official’s letter to an entrepreneur who had been manufacturing ID-cards for Estonia for over ten years.
These few sentences were the start of acknowledging the greatest crisis the Estonian e-state has seen. A crisis in which the state had to race against the clock to make sure the description of a security vulnerability in the Estonian ID-card discovered by Czech researchers would not reach the public and criminals.
The letter also marks a very serious problem for Estonian officials and could become the decisive element in a dispute between the PPA and ID-card manufacturer Gemalto. The letter is dated June 15, 2017. That was two months before the PPA notified the public of the vulnerability and admitted that 800,000 cards would need to be replaced before a security patch could be finished.
The person named R. in the letter is a police officer who had a routine meeting with Gemalto that morning. If University of Tartu researcher Arnis Parshovs had managed to falsify the signature of an Estonian ID-card-holder in May and the matter was firmly on the agenda, now, Czech scientists had discovered an even more disturbing risk: digital signatures of a lot of ID-cards issued in Estonia could be falsified with enough computing power.
ID-card chip manufacturer Infineon had told Gemalto of the Czech discovery over Skype a day before. It was discussed during a meeting, and a phone call lasting five minutes and 18 seconds between Gemalto representative Andres Lehmann and head of the State Information System’s Authority (RIA) ID Department Margus Arm took place on the evening of June 15.
The situation became even more critical four days later, on June 19: RIA and the technical supervision authority received independent letters from different sources, according to which Austria had shut down all ID-cards that sported a configuration similar to those of Estonian cards because of a security risk concerning digital signatures on June 9.
Postimees has access to all of these letters. There can be no doubt that Estonia should have acted immediately; our entire society is based on the security of e-identity. Parshov’s successful attempt at falsifying a digital signature had been successfully kept under wraps – Postimees made it public in early December – however, any incident beyond that would upend our entire digital state.
Infineon had already informed Gemalto that Czech researchers plan to publish their findings in fall.
The corporation and the small digital country decided to keep quiet and do nothing. No software updates, no preparations for replacing faulty cards, no contact with the Czechs. There was not enough concrete information – that is what the parties say in hindsight, while it is also believed vital information was simply missed, either out of incompetence or knowingly.
The exact reasons for the summer’s lollygagging will likely never leave the PPA’s meeting rooms. Still. Estonia’s first EU Council presidency was just two weeks away and the impregnability of the walls of the digital state were among its main topics.
It was likely a strategic decision aimed at protecting the state’s reputation, while Gemalto could have been pondering the hit its bottom line would take should it prove necessary to replace the cards.
It is very likely this that led to the conscious silence that ended up costing Estonia and its reputation a great deal. At least €4 million in direct expenses plus at least as much on workhours replacing cards.
The silence only ended in August when Masaryk University researcher Petr Svenda got to talking with his former work partner, RIA employee Martin Paljak with whom he had a good relationship.
The Czech couldn’t help but wonder why Estonia still hadn’t done something about its ID-cards. Let’s review: chip manufacturer Infineon had been notified of the discovery on February 1. Infineon informed Gemalto on June 14 that in turn notified the Estonian authorities a day later. Austria had shut down its cards on June 9 and informed Estonia of the decision through various channels.
«We contacted CERT (a unit of RIA – ed.) on August 30, but we did not know whether they already had a plan or were in fact aware of the situation. We were not sure whether it was necessary to contact them. However, I knew Martin Paljak from a code development project we worked on together and some beers we had shared some years prior,» Svenda later said.
Out of court
It was Paljak who suggested the scientists send CERT more specific data on their discovery which is what they did on August 30. What followed was the ID-card crisis, whereas the most peculiar aspect is that the state chose placing the blame on its partner Gemalto as its PR strategy – as if there had been no communication regarding the vulnerability in June. A claim of €20 million was immediately filed against the company. Very little remains of that original claim by today.
Information available to Postimees suggests the PPA and Gemalto have reached an agreement for a compromise to be signed in September that will end all three major disputes. It will see Gemalto withdraw its suit against the PPA’s ID-card procurement for the coming period, the PPA withdraw its claim over another minor ID-card fault and finally Gemalto agree to compensate Estonia for half of the direct expenses of the ID-card crisis – around €1.5 million.
The only thing the sides still do not agree on is how on Earth did the PPA manage to spend €1.5 million on overtime of officials during the period of replacing faulty ID-cards. The police did not have to procure software solutions and the money could only have been spent on operatives. Did PPA employees only take taxis to work and ordered lunch from top restaurants?
The sides make no secret of the fact they are tired of the dispute. Gemalto wants to leave with its dignity and without issuing public comments to continue its multi-billion-euro business everywhere except tiny Estonia. It will likely agree to pay the PPA a million euros to that end.
The police seem to agree. «We have been looking for a solution for over a year now, and it is time to move on,» said Kaija Kirch, senior expert at the PPA’s identity and statuses bureau. She said that a decision is expected in the near future.
«We will decide in September whether it is possible to reach an agreement with Gemalto regarding compensation for damages or whether we will file a claim. This concerns the 750,000 ID-cards with the security vulnerability and cards the secure key of which was generated outside the cards,» Kirch said.
That is to say the PPA is looking for a compromise and will not be demanding the return of half of the €40-million contract as was the agency’s initial plan.
The reason is very likely that the PPA cannot prove Gemalto is to blame for the vulnerability discovered by Czech scientists. As we now know, all involved parties had relevant information in June.
Scientists from the Czech Republic discovered that a security fault with Infineon chips makes it possible to use the public key of ID-card certificates to calculate private key values and steal the user’s identity. While this would take 6,442,450,944,000,000 vCPU years in the conditions of a normal 2,048-bit key, it would only take 140 vCPU years or less in case of powerful render farms in case of Infineon chips.