Estonian Information System Authority advises not to rush with update of ID-card

  • 2017-10-27
  • LETA/TBT Staff

TALLINN – Even though the likelihood that the security flaw found in the chip of the Estonian electronic ID-cards issued since October 2014 will be exploited has increased, the Estonian Information System Authority has advised residents using the card in their everyday work not to rush with updating the software on their card.

"Now we know that a similar security risk can be found in a very broad range of products, not just ID-cards as we knew to date, but also in the security base software used in present-day computers," Taimar Peterkop, director general of the Information System Authority, said at a press conference on Thursday.

He said the security risk affects a number of global companies, including Microsoft and Google.

Peterkop said that since the possibility to update the software on the ID-card became available on Wednesday, more than 2,500 people have used this possibility. He said that people should not rush to make the update, as many parties have yet to update their information systems, while the systems which have not been updated cannot be accessed with a card with the updated software.

"It is not enough that the Information System Authority, the Police and Border Guard Board, SK ID Solutions and Gemalto have their solutions out, all others too must update their information systems," Peterkop said.

Most of the banks active in Estonia have completed these updates. "In the medical sector we have asked not to rush as long as not everyone is ready with these updates," Peterkop said.

He said that at present, the remote update can be made by 1,000 people at most at any given time and by 15,000 people a day. It will take approximately a month until an update of the ID-card encryption software becomes available.

"This is not a usual IT development, it is a process of preventing a security risk with a significant impact that is under way here, therefore we must do things faster," Peterkop said.

Peterkop said that people who wish to update their ID-card certificate should be prepared to wait and try again if they cannot access the system at the first attempt.

"It's very important for us that vital services function," said the director general of the Police and Border Guard Board, Elmar Vaher. "Hundreds of thousands of cards need to be updated, there may be glitches, we must be ready for situations where technology fails us," he said.

Vaher said that the Police and Border Guard Board is ready for big numbers of people queuing up at its offices to get the update done there. He said they are ready to extend opening hours and keep the offices open also at weekend if necessary.

Cards with the security risk number 800,000, of which 500,000 are in active use as a digital ID. There are 45,000 cards that are in very intensive use, according to the national police chief.

The recommendation of the police for residents using the electronic ID-card is to also set up a Mobile ID.

It is expected that systems will be ready to support ID-cards with the new software next week.

For reasons of security, Estonia will restrict the electronic use of the electronic ID-cards as of the second week of November. The certificates associated with the cards affected by the security risk will be revoked on April 1 next year, which means that holders of such cars will have to apply for a new card

On Sept. 5, Prime Minister Juri Ratas announced at a press conference that a security risk has been found in the ID-cards and recommended that people start using Mobile ID instead. The potential security risk affects ID cards issued since October 2014, including cards issued to e-residents, which number approximately 750,000. At the same time experts said that the risk is only theoretical and cracking the code of all faulty cards would cost approximately 60 billion euros.

According to available information the security risk has never materialized. Estonia has closed the public key database of the electronic ID-cards, as the security flaw cannot be exploited for cracking the encryption on the chip of a card without knowing the public key.