Fake eSignatures

Estonia, Spain and Slovakia tackle smartcard vulnerabilities

21/11/2017

Authorities in Estonia, Spain and Slovakia are trying to solve a security flaw in their eID smart cards. Last month, a flaw was found in a cryptographic software library that could possibly allow computer criminals to bypass the cards’ security. The software library is used by various types and brands of eID cards.

Update (4 January 2018): This article was updated following information supplied by Gemalto, a vendor of eID card solutions. See also the company's comments below.

Estonia is encouraging its citizens, including e-Residents, to update their smart cards and computer software. The country has opened temporary service centres in shopping malls and hospitals to make it easy for citizens to update their smartcard certificates, and has revoked all the compromised certificates. In addition, Estonia wants the involved eID solution vendor, Gemalto,  to reimburse some of the costs.

The use of the same flawed crypto software library also caused headaches for authorities in Slovakia and Spain.

In October, the government of Slovakia suspended the use of affected certificates as a preliminary to replacing them. In a statement, the Ministry of the Interior explained it could not immediately revoke the certificates, as this would block mandatory electronic communication between companies and government services. In some cases this could results in reports not being filed on time, possibly causing fines or sanctions.

In Spain, the police in early November announced that it would soon suspend and then replace affected certificates. In a statement, the police explained that affected smart cards remain valid as ID cards and travel documents.

More information:

ePractice news item
Spectator news item
Ars Technica news item

A sample eID card issued by Spain that is affected by the security flaw
A sample eID card issued by Spain that is affected by the security flaw 


IT Pro news item

Comments

Wed, 03/01/2018 - 10:43

This information is misleading and false as Gemalto is NOT the ID card provider in Slovakia and Spain.
Estonia is not using ID Prime either and this card by the way is not produced in the Netherlands.

However, the 3 countries mentionned have been impacted for the same reason.

So what is this reason?

A potential security vulnerability affecting the Infineon software cryptographic library also known as ROCA (CVE-2017-15361) has been discovered. More info here https://www.gemalto.com/csirt/security-updates

This potential vulnerability is impacting electronic certificates generated by Estonian eID cards issued after 16 October 2014 or before 26 October 2017. It implies as a precaution consequence that security certificates need to be renewed for all these cards.

Gemalto has worked to support the Estonian Government to provide a remote card update which suppresses completely this risk.

On 2 November 2017, the Estonian Government decided to temporarily suspend certificates potentially impacted by the security vulnerability as of 4 November 2017. That means card cannot be used electronically to log in to online services or sign documents, if the remote update has not been yet implemented.

The solution put in place is a software update, a very common practice for a vast majority of the Estonian population.
The certificates can be renewed:
1)Remotely from home or work computer
2) At the service points of the Police and Border Guard Board.

The ID document does not need to be changed. Of course, both updated and non-updated ID-cards are valid as identification documents until respective expiry dates.

Facts
1) The theoretical risk no longer exists as of 4 November (as the card certificates have been suspended by the Estonian Government)
2) No ID certificate has been reported broken
3) The heavy card-users (around 50,000) have seen their card upgraded as a priority

Eric Biliaert
Communication Director, Government Business Unit at Gemalto

The content of this field is kept private and will not be shown publicly.