Skip to content ↓ | Skip to navigation ↓

Estonia said it intends to block the security certificates for 800,000 electronic ID cards because a flaw renders them vulnerable to malware.

On 31 October 2017, the Baltic state announced it would move against the security certificates of 800,000 ID cards at midnight the following day. The decision comes at least in part from the Information Systems Authority (RIA), which learned from researchers back on 30 August that all state-issued ID cards issued since October 2014 suffer from a vulnerability. Cards issued prior to October 2014 use a different chip and are therefore not affected.

Estonian Prime Minister Juri Ratas feels the move is necessary if the state is to protect more than half of its population against identity theft. As quoted by Yahoo! News:

“The functioning of an e-state is based on trust and the state cannot afford identity theft happening to the owner of an Estonian ID card. By blocking the certificates of the ID cards at risk, the state is ensuring the safety of the ID card. As far as we currently know, there has been no instances of e-identity theft, but the threat assessment of the Police and Border Guard Board and the Information System Authority indicates that this threat has become real.”

At this time, no details are available on the security flaw. Analysts at the RIA have discovered malware that’s capable of exploiting the weakness, reports Eesti Rahvusringhääling (ERR). Even so, government officials had not received any reports of identity theft connected to the ID cards by the evening of 2 November.

An example of a 2017-updated Estonia electronic ID card. (Source: Gemalto)

Estonian officials are asking that those with vulnerable ID cards update their security certificates remotely or by visiting a police and border guard service point. Approximately 35,000 had done so by the morning of 2 November. However, ERR found that that 18,000 citizens had received emails from the government indicating they could not update their security certificates remotely due to “technical issues.” They will need to visit a guard point to protect their cards.

Ratas is sorry for the inconvenience these and other issues have caused:

“I apologize before all of our citizens and people who have not been able to update their ID card certificates online yet due to the heavy load on the system. And I thank those who have patiently waited in Police and Border Guard Board (PPA) service points and understood that this is an exceptional situation.”

Since 2001, Estonia has used Swiss company Trub AG and its successor Gemalto AG to manufacture the electronic ID cards, which grant citizens access to an e-government portal. Trub Baltic AS has been working with the Estonian government since September on fixing the vulnerability identified by the researchers.