Patch for Estonian ID card security risk available in November
Under the leadership of the Information System Authority (RIA), software has been developed with which ID cards, residence permits and digi-IDs can be patched beginning in November.
Margus Arm, head of the eID field and work group at RIA, said that the application is currently being tested, and test cards have also been distributed to banks so that they can ensure it is compatible with various e-services.
"The new software will allow people to renew their ID cards' security certificates wtihout leaving home, and if all goes according to plan, the certificate renewal process will begin in November of this year," he said.
ID card security certificates can be renewed remotely from one's home or work computer during a two-month window that will last through the end of December. Cardholders must download the latest version of the ID card software and then follow the on-screen instructions.
From January through the end of March next year, ID card security certificates can only be renewed in person at Police and Border Guard Board (PPA) service points. As of April 2018, all unrenewed security certificates for at-risk ID cards will be voided.
According to PPA Identity and Status Bureau chief Margit Ratnik, preparations are already underway to extend PPA offices' evening and weekend hours beginning in November as well as open additional service points during this period.
"Remotely renewing [the certificates] yourself according to the instructions will be the most convenient, but we are prepared with additional personnel to help and advise in person at our offices," she said.
Unpatched ID cards' use to be restricted
Those who do not have the SIM card-based Mobile ID and regularly rely on their ID card to log into e-services must be quick about getting their certificates renewed this fall.
"At the beginning of November, when the remote renewal process is launched, we will restrict the use of unpatched ID cards," Arm warned. "This means that an ID card cannot be used digitally until its certificates have been updated."
The PPA official recommended active users of e-services sign up for Mobile-ID in October already to ensure uninterrupted access to e-services until their ID cards' certificates are renewed. "Considering the amount of cards that need to be renewed and technical restrictions, the load of renewals may be very big during the first few days," he added.
Those who do not use their ID card electronically do not necessarily have to worry about renewing their certificates, as all ID cards will remain valid as photo ID through the expiration date marked on the card. Those whose valid ID cards were issued before October 2014 are also unaffected by the security risk.
RIA director general Taimar Peterkop said that the Estonian ID card and its digital solutions remain secure, but efforts must be made to ensure its continued security.
"As of today there are no reported incidents of digital identity theft," Peterkop said. "But we will not wait for such a case, but rather do everything we can to eliminate the risk as soon as possible."
RIA will announce the launch of the affected ID cards' security certificate renewal and the relevant specific instructions before the patch is launched, at the end of October or beginning of November at the latest.
750,000 ID cards affected
On Aug. 30, an international group of researchers informed the RIA that they had discovered a security risk affecting all ID cards issued in Estonia beginning in Oct. 2014, including ID cards issued to Estonian e-residents. Nearly 750,000 ID cards are affected by the issue.
ID cards issued prior to Oct. 16, 2014 used a different kind of chip and are not affected by the current risk. The security risk likewise do not affect Mobile-ID users.
Editor: Aili Vahtla