The Estonian government is suspending the use of the Baltic country’s identity smartcards in response to a recently discovered and wide-ranging security flaw.
Residents of the Baltic country will still be able to use smartphone equivalent of the technology, which is used to access government services and online banking. Use of eResidents cards will be suspended from midnight tonight until holders re-up their certificates. The move will affect an holders of more than 750,000 ID cards who have not yet been able to update their certificates,” according to local reports.
e-Residency managing director Kaspar Korjus apologised for any hassle caused by the suspension in a blog post on Medium here.
“There are still no known incidents of an Estonian digital ID card being misused, but the threat has been elevated so previous certificates containing the vulnerability will be suspended tonight at 24:00 on Friday 3 November,” Korjus explained. “Smart ID can provide uninterrupted access to e-services such as banking, but must be activated now while certificates are active.”
Gareth Niblett, a security consultant who holds Estonian residency, told El Reg: “Risk assessment determined likelihood of cracking higher, so forcing certificate updates out of abundance of caution. Estonian Mobile-ID & Smart-ID remain secure & usable. eID & Digi-ID/eResidents cards need to update their certificates to continue using.”
Estonia is a pioneer in providing government services online to its population of around 1.35 million. Acceptance of and trust in the technology is widespread, so the need to update cards will likely be regarded as an inconvenience rather than something that might undermine longer term confidence.
Issues with ID cards in Estonia are the result of a wide-ranging cryptographic vulnerability. RSA keys produced by smartcards, security tokens, laptops, and other devices using cryptography chips made by Infineon Technologies are weak and crackable – and therefore need to be regenerated with stronger algorithms. The security weakness stems from faulty crypto libraries bundled with Infineon TPMs – AKA trusted platform modules. Research on the security weakness came out last month after it had been disclosed to relevant vendors and after a series of updates had already been pushed out. ®