Categories: Security

Estonia Disables Digital ID Cards After Security Scare

Estonia has disabled electronic ID cards used by hundreds of thousands of people after a security issue was discovered in them earlier this year.

The digital ID cards, introduced in 2014, allow people to access government services and are also linked to some private services including some bank accounts.

But the Estonian government disclosed in September that researchers had discovered a flaw in the firmware in the chip embedded in the card. The affected chips are used in ID cards around the world and are found in cards issued in Estonia from 16 October 2014 to 25 October 2017.

Researchers discovered that the encryption used by the cards’ digital certificates could be easily cracked, potentially allowing identity theft.

Credit: Government of Estonia

Stronger encryption

Late last month the country’s government advised users to update the electronic certificates used by the card. The new certificates use a stronger form of cryptographic certificate.

Then, over the weekend, the Estonian government said it would disable cards that didn’t have updated signatures. The move affects about 760,000 people, the BBC estimated.

“As far as we currently know, there has been no instances of e-identity theft, but the threat assessment of the Police and Border Guard Board and the Information System Authority indicates that this threat has become real,” said Estonian prime minister Jüri Ratas on Friday. “By blocking the certificates of the ID cards at risk, the state is ensuring the safety of the ID card.”

Credit: Theresa Bubbear

The move took effect from midnight on Friday.

In addition to Estonian citizens and residents, the ID card issues also affect e-residents, under a programme Estonia launched in 2014 that allows individuals from anywhere in the world to obtain an electronic ID in the country in order to access services and start businesses there.

Update problems

The cards can be updated online using a utility on the user’s computer, but the government acknowledged users have been unable to carry out the update due to excessive demand.

Theresa Bubbear, Britain’s ambassador to Estonia, said last week she had spent two days unsuccessfully trying to update her card.

“eEstonia losing its shine?” she wrote on Twitter.

“We understand that the certificates update process is still not as smooth as it should be, but authorities are working hard to improve this for those that want to update straight away,” said Kaspar Korjus, managing director of the e-residency programme, in a blog post.

Over the weekend the government restricted the certificate update system in order to prioritise those who use their digital ID cards to provide vital services, such as medical professionals in the country, and the most frequent users.

The update system was reopened to all users on Monday.

All certificates must be updated by March of next year, after which individuals will be required to apply for a new card.

Do you know all about security in 2017? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

5 hours ago

Former Policy Boss At X Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

8 hours ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

9 hours ago

FTX Co-Founder Gary Wang Spared Prison

Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…

10 hours ago