Emergency number unreachable for hours

Emergency center.

PHOTO: Mihkel Maripuu

The State Information System’s Authority (RIA) revealed yesterday how the most serious communications incident in terms of impact on ordinary people happened right at the beginning of last year when a number of clients of cell phone operator Elisa could not reach the emergency number 112 on January 24.

A total of 151 people tried to make around 600 calls but failed to contact the alarm center for eight and a half hours. Luckily, the incident did not bring with it serious consequences.

Security flaw discovered

RIA also confessed to a security flaw with the eesti.ee portal from last summer. Officials received the first signal of an authentication fault on June 29. Their attention was drawn to the vulnerability by experts of another agency who had managed to prove that a bank link could be used to access the portal in someone else’s name.

The vulnerability lied in that the portal failed to verify whether a token provided by the bank was used to sign the authorization request and whether it matched the technical description of the link.

The fault made it possible to enter the portal under someone else’s name if the hacker could reproduce authorization from a bank by using the technical description of the bank link and send it to the portal for verification.

“Once we realized the seriousness of this matter, we immediately removed the option of logging in using a bank link and set about patching the hole in the system that took us four days,” RIA reports in its newly published cybersecurity yearbook. The agency said the vulnerability was caused by the outdated platform of eesti.ee and was not connected to any bank of service.

“We later determined the fault was likely created in October of 2015 through changes to the portal’s core software and adoption of new bank links. The fault was caused by carelessness of the developer and RIA in verifying the work,” the agency concedes.

RIA went over the log files for portal logins since the changes but could find nothing to indicate the vulnerability was taken advantage of. “Nobody’s data was made available, and we could not find any attempts to log in under someone else’s identity. We restored the possibility of accessing the state portal using a bank link on July 4, after several days of intense work and verification of the system by outside experts,” RIA writes.

The agency added that exploiting the vulnerability would have required serious skill and technical know-how.

Real damages

RIA communicated that it registered 3,390 cyber incidents that affected data or information systems last year. Financial scams that started with so-called executive schemes and hijacked email conversations did the most damage, taking small and medium businesses for at least €600.000 in 2018.

Other noteworthy incidents included cyberattacks against family medicine centers and leaked health data of soldiers and schoolchildren from state document management systems.