Paper: ID card producers won't explain delay in informing of security flaw
Estonian authorities have confirmed that it was Czech researchers, not the producers of the chip or the Police and Border Guard Board's (PPA) contractual partner, that contacted them directly regarding a detected security flaw affecting hundreds of thousands of Estonian ID cards.
Daily Eesti Päevaleht (EPL) contacted ID card producer Gemalto and chip producer Infineon directly to ask when they were first informed of the security flaw and when they, in turn, informed the Estonian state about the flaw. While the paper did not receive clear responses, it was clear that there are differences in the understanding of the situation by the two companies and the state.
Infineon, which produces the chips used in the Estonian ID cards, was informed of the security flaw by the Czech researchers in February, after which Infineon began investigating whether the mathematical method highlighted by the researchers could really be used to crack ID cards using their chips. Infineon claimed that it then informed its customers both of the flaw in question and its solution.
According to an Infineon representative, it was not their but rather ID card producer Gemalto's responsibility to inform Estonia about the security flaw.
Eric Billiaert, corporate communications manager for the public sector at Gemalto, essentially left the Estonian paper's question unanswered. "We are only just analyzing with our Estonian partners how the information spread about the chips with the security flaw produced by Infineon," Billiaert said.
The situation is complicated, the paper wrote, as it was implied by Gemalto that they were likewise not informed of the flaw in February, but later, however according to the paper's information, Gemalto has claimed to Estonia's Information System Authority (RIA) that they informed Estonia of the security flaw well before August.
Gemalto's Estonian contractual partner is the PPA.
"We are currently working to resolve legal issues connected to this matter, and so we cannot currently comment more specifically on the movement of this information," said attorney Merit Lind, representing the PPA.
The RIA has somewhat more freedom to comment on the matter, as they are not contractually connected to Gemalto. "We were informed of the security flaw by the Czech researchers directly at the end of August," confirmed RIA spokesperson Helen Uldrich.
The research published by the Czech researchers in early November revealed not only the security flaw affecting ID card chips, but also the fac that the researchers claimed to have informed the producer of the chips of the security flaw in February already.
Technology giants such as Google and Microsoft were able to begin patching the flaw right away, however Estonian authorities were only informed of the flaw in late August.
Certificates suspended in early November
On Thursday, Nov. 2, the Estonian government decided at a Cabinet meeting to suspend the certificates of Estonian ID cards vulnerable to a detected security risk, which numbered approximately 800,000 in total, at midnight the next night.
Prime Minister Jüri Ratas explained at a government press conference that evening that the Czech researchers who had initially discovered the security risk affecting all ID cards issued in Estonia beginning Oct. 16, 2014, including national IDs and the ID cards issued to Estonian e-residents, had published their research in full that week, which increased the risk of the vulnerable ID cards being exploited to a critical level.
ID cards issued prior to Oct. 16, 2014 used a different kind of chip and are not affected by the current risk; also unaffected are ID cards issued beginning at the end of last month.
Editor: Aili Vahtla