nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

Kurat võtku! Estonia identifies security risk in almost 750,000 ID cards

That's over half the population

By Kat Hall, 5 Sep 2017

The Estonian government has discovered a security risk in its ID card system, potentially affecting almost 750,000 residents.

"When notified, Estonian authorities immediately took precautionary measures, including closing the public key database, in order to minimise the risk while the situation can be fully assessed and a solution developed," according to an email by Kaspar Korjus, managing director of e-Residency, to users.

The government said the security risk is still theoretical and is not aware that anyone's digital identity has been misused. The use of an ID card is still safe for online authentication and digital signing.

ID cards issued before October 16, 2014, use an alternate chip and are not affected, nor are mobile-IDs.

In a statement Taimar Peterkop, director general of the Estonian Information System Authority, said: "According to the current assessment of Estonian experts, there is a security risk and we will continue to verify the scientists' claims."

Gareth Niblett, a security consultant holding Estonian residency, said this is not the first time there have been issues with the e-ID card.

"Last year a number of cards and certificates had to be reissued due to how Google Chrome did certificate validation checks and also a migration to SHA-2. This makes me confident that they will manage to deal with this issue too."

Estonia has often been positioned as a poster boy for digital government, with all residents interacting with the state online via the country's ID card system.

In late 2014 Estonia became the first country to offer electronic residency to people from outside the country, a step that the Estonian government terms as "moving towards the idea of a country without borders".

Estonia's state apparatus is relatively new, having restored its independence as a sovereign nation in 1991 following the Soviet occupation. ®

The Register - Independent news and views for the tech community. Part of Situation Publishing