Estonia Disables Digital ID Cards After Security Scare

Estonia has disabled electronic ID cards used by hundreds of thousands of people after a security issue was discovered in them earlier this year.

The digital ID cards, introduced in 2014, allow people to access government services and are also linked to some private services including some bank accounts.

But the Estonian government disclosed in September that researchers had discovered a flaw in the firmware in the chip embedded in the card. The affected chips are used in ID cards around the world and are found in cards issued in Estonia from 16 October 2014 to 25 October 2017.

Researchers discovered that the encryption used by the cards’ digital certificates could be easily cracked, potentially allowing identity theft.

Stronger encryption

Late last month the country’s government advised users to update the electronic certificates used by the card. The new certificates use a stronger form of cryptographic certificate.

Then, over the weekend, the Estonian government said it would disable cards that didn’t have updated signatures. The move affects about 760,000 people, the BBC estimated.

“As far as we currently know, there has been no instances of e-identity theft, but the threat assessment of the Police and Border Guard Board and the Information System Authority indicates that this threat has become real,” said Estonian prime minister Jüri Ratas on Friday. “By blocking the certificates of the ID cards at risk, the state is ensuring the safety of the ID card.”

The move took effect from midnight on Friday.

In addition to Estonian citizens and residents, the ID card issues also affect e-residents, under a programme Estonia launched in 2014 that allows individuals from anywhere in the world to obtain an electronic ID in the country in order to access services and start businesses there.

Update problems

The cards can be updated online using a utility on the user’s computer, but the government acknowledged users have been unable to carry out the update due to excessive demand.

Theresa Bubbear, Britain’s ambassador to Estonia, said last week she had spent two days unsuccessfully trying to update her card.

“eEstonia losing its shine?” she wrote on Twitter.

“We understand that the certificates update process is still not as smooth as it should be, but authorities are working hard to improve this for those that want to update straight away,” said Kaspar Korjus, managing director of the e-residency programme, in a blog post.

Over the weekend the government restricted the certificate update system in order to prioritise those who use their digital ID cards to provide vital services, such as medical professionals in the country, and the most frequent users.

The update system was reopened to all users on Monday.

All certificates must be updated by March of next year, after which individuals will be required to apply for a new card.

Do you know all about security in 2017? Try our quiz!