Estonian Information System Authority advises to update ID-cards with security risk

  • 2017-10-31
  • LETA/TBT Staff

TALLINN – The Estonian Information System Authority (RIA) is advising all owners of ID-cards that have a security risk to update the software on their cards remotely as most e-services already support the updated ID-card.

All ID-cards issued after October 16, 2014 and used electronically must be updated. It is possible to check by document number on the website of the Police and Border Guard Board whether one's ID-card is among those with a security risk and needs to be updated. Those people, who do not issue digital signatures with their card or do not use e-services by inserting their PIN1 and PIN2, do not have to update their cards, RIA said.

All cards will work as identity documents and loyalty cards until their date of expiry. It is also not necessary to update one's ID-cards for using digital prescriptions as a patient.

Taimar Peterkop, director general of RIA that the remote update solution has been created while racing against time and it is not ideal. "The technical capacity of the remote update application is limited and approximately 1,000 people can simultaneously update their cards. There are definitely delays caused by overload and times when it is not immediately possible to carry out a remote update and people must try again later," Peterkop said. Approximately 15,000 people can update their cards during one day.

A compute and card reader are necessary for an ID-card update. In order to update the card, the compute must have the latest ID-card software and people must follow the instruction on the screen. Anyone who does not have the opportunity of updating their ID-card online or experiences errors can do so at the service offices of the Police and Border Guard Board.

The security risk affects approximately 800,000 ID-cards, including digital IDs and e-residency and living permit cards. The security risk does not affect Mobile ID or ID-cards issued before October 2014.

ID-cards that have a security risk can be updated from personal computers as well as at the service offices of the Police and Border Guard Board until March 31, 2018. Certificates that have not been updated will be canceled as of April 1 for security reasons. Documents that have canceled certificates cannot be updated and a new card must be applied for for electronic use.

Altogether 20,000 people have updated their documents so far.

On September 5, Prime Minister Juri Ratas announced at a press conference that a security risk has been found in the ID-cards and recommended that people start using Mobile ID instead. The potential security risk affects ID-cards issued since October 2014, including cards issued to e-residents, which number approximately 750,000. At the same time experts said that the risk is only theoretical and cracking the code of all faulty cards would cost approximately 60 billion euros.

According to available information the security risk has never materialized. Estonia has closed the public key database of the electronic ID-cards, as the security flaw cannot be exploited for cracking the encryption on the chip of a card without knowing the public key.