Although the likelihood of the security flaw found in the chip used in Estonian ID cards issued since October 2014 being exploited has increased, Estonia's Information System Authority (RIA) has advised residents using the card in their everyday work not to rush with updating their card's software.
"Now we know that a similar security risk can be found in a very broad range of products, not just ID cards as we knew to date, but also in the security base software used in present-day computers," RIA Director General Taimar Peterkop said at a press conference on Thursday.
He said the security risk affects a number of global companies, including Microsoft and Google.
According to Peterkop, since the patch for updating ID card software became available on Wednesday, more than 2,500 people have utilized the update. He said that people should not rush to make the update, however, as many parties have yet to update their own information systems, and systems which have not been updated cannot be accessed with a card using the updated software.
"It is not enough that the RIA, the Police and Border Guard Board (PPA), SK ID Solutions and Gemalto have their solutions out," Peterkop stressed. "All others must update their information systems as well."
Most banks operating in Estonia have completed these updates. "In the medical sector, we have advised not to rush as long as not everyone is ready with these updates," he added.
According to the RIA director, the remote update can be made by a maximum of 1,000 people at any given time and 15,000 people per day. It will take approximately one month until an update of the ID card encryption software becomes available.
He said that anyone who wishes to update their ID card certificate should be prepared to wait and try again if they cannot access the system on their first attempt.
"This is not a typical IT development; it is a process for preventing a security risk with a significant impact that is underway here," said Peterkop. "Therefore we must do things faster."
PPA director: Hundreds of thousands of cards need updating
"It's very important for us that vital services function," said PPA Director General Elmar Vaher. "Hundreds of thousands of cards need to be updated. There may be glitches; we must be ready for situations where technology fails us."
According to Vaher, the PPA is prepared for large numbers of people lining up at its offices to do the update in person. He said they are prepared to extend PPA office hours of operation, including on weekends if necessary.
A total of 800,000 cards are vulnerable to the detected security risk, 500,000 of which are in active use as digital IDs. According to the police chief, 45,000 cards are in very intensive use.
Police have urged residents who actively use their ID cards as electronic ID to also sign up for the SIM card-based Mobile ID, which is unaffected by the security risk.
It is expected that systems will be ready to support ID cards with the new software by next week.
Security risk has yet to materialize
For security reasons, Estonia will restrict the electronic use of the electronic ID cards beginning the second week of November. The certificates associated with the cards affected by the security risk will be revoked on April 1 next year, which means that holders of affected cards must apply for a new card if they have not updated their current cards in the meantime.
On Aug. 30, an international group of researchers informed the RIA that they had discovered a security risk affecting all ID cards issued in Estonia beginning in Oct. 2014, including ID cards issued to Estonian e-residents.
ID cards issued prior to Oct. 16, 2014 used a different kind of chip and are not affected by the current risk. The security risk likewise does not affect Mobile-ID users.
According to available information, the security risk has yet to materialize. Nonetheless, Estonia has closed the public key database of the electronic ID cards, as the security flaw cannot be exploited for cracking the encryption on the chip of a card without knowing the public key.
Editor: Aili Vahtla
Source: BNS, ERR