The government of Estonia is investigating a potential security vulnerability affecting the country’s ID cards and digital IDs. Estonia’s public key database has been closed, to minimise the risk of misuse of digital identities.
Theoretically, it is possible to use the new ID card for personal identification and digital signing without having a physical ID card and its associated PIN codes, Estonia’s police force writes.
The police statement continues:
“On 30 August, an international team of researchers informed the Estonian Information System Authority (RIA) of a vulnerability potentially affecting digital use of Estonian ID cards issued since October 2014.”
The potential flaw affects a total of almost 750,000 ID cards issued since October 2014. ID cards issued before October 16, 2014, use a different chip and are not affected. Mobile IDs are also not impacted, the police say.
Don’t panic
Estonia’s authorities emphasise that there is no reason to panic.
“This security risk is still theoretical and no-one’s digital identity has been misused,” wrote Kaspar Korjus on 5 September. Korjus is the Managing Director at e-Residency, Estonia’s programme offering government-issued digital ID to anyone in the world. “E-residents can continue to access their digital IDs through their digital ID cards. Should the situation change, card holders will be notified immediately.”
According to press reports, the flaw could impact the security of electronic elections.
More information:
Cryptographic Algorithms Lifecycle report for RIA (PDF)
Police statement (in Estonian)
News item by Geenius (in Estonian)
News item by Postimees (in Estonian)