Andreas Lehmann, director of Trüb Baltic AS, which represents ID card producer Gemalto, has claimed that he informed Estonian state authorities of the security flaw affecting hundreds of thousands of Estonian ID cards in June already. According to the director of the Information System Authority (RIA), however, he is lying.
The RIA has asserted that it first received information regarding the security flaw affecting the chips used in ID cards issued since October 2014 from a group of international researchers late on the night of Aug. 30.
Lehmann wrote on LinkedIn, however, that he informed the Police and Border Guard Board (PPA) and the RIA of the vulnerability on June 15.
In the European North, the midsummer heralds the long summer holiday break that lasts till end of August. In autumn Estonia had to elect its municipal councils, it included e-elections in early October. It is disturbing to learn short before midsummer about a vulnerability on the eID chip; a warning that the RSA crypto library on the SLE78 chip from Infineon can generate keys weaker as expected. Letting this warning emerge in June certainly would have spoiled summer vacations. I can fully understand why the authorities gave in the seduction and kept quiet.
RIA Director General Taimar Peterkop told ERR's online news portal that Lehmann is lying.
"This is a lie," Peterkop told the portal. "We have not received anything either verbally or in writing. Considering how quickly we reacted on Aug. 30, once we found out about [the flaw], we would have reacted exactly the same way if we had been notified of this on June 15. Lehmann's claim as though we preferred to just go on vacation and for this reason neglected the matter is absurd. We would have certainly been quick to take action to prevent potential security risks."
Editor: Aili Vahtla