Gemalto, the manufacturer of the electronic ID cards used in Estonia, did not inform Estonia about the detected potential security flaw affecting the ID cards earlier this summer, Prime Minister Jüri Ratas (Center) confirmed on Thursday.
Speaking at Thursday's government press conference, Ratas said that the claim of a Gemalto representative that he had informed Estonia's Police and Border Guard Board (PPA) and the Information System Authority (RIA) about the security risk on June 15 was incorrect.
According to the prime minister, the government has been notified of several potential security risks over the years, but not of the security risk which resulted in the suspension of the security certificates of hundreds of thousands of Estonian ID cards this fall.
"No such notification was given to the Estonian state, either on June 15 or any earlier date," he said, adding that information regarding the flaw reached Estonia at the beginning of September, after which the public was subsequently informed.
Ratas added that it stands in the contract concluded between the Estonian government and Gemalto that notifications such as this must be forwarded in writing and with a document signed digitally, and that no such notification has been received by the Estonian state.
Andreas Lehmann, director of Gemalto representative Trüb Baltic AS, wrote on LinkedIn recently that he had informed the PPA and RIA of the vulnerability affecting the ID cards on June 15:
In the European North, the midsummer heralds the long summer holiday break that lasts till end of August. In autumn Estonia had to elect its municipal councils, it included e-elections in early October. It is disturbing to learn short before midsummer about a vulnerability on the eID chip; a warning that the RSA crypto library on the SLE78 chip from Infineon can generate keys weaker as expected. Letting this warning emerge in June certainly would have spoiled summer vacations. I can fully understand why the authorities gave in the seduction and kept quiet.
RIA spokesperson Helen Uldrich told Postimees that the RIA had received information regarding the security risk affecting the Infineon chips used in the cards directly from researchers to discover the flaw late on the evening of Aug. 30. "The information was received on the general email account of the RIA's Computer Energy Response Team (CERT-EE)," she specified.
Certificates suspended in early November
On Thursday, Nov. 2, the Estonian government decided at a Cabinet meeting to suspend the certificates of Estonian ID cards vulnerable to a detected security risk, which numbered approximately 800,000 in total, at midnight the next night.
Prime Minister Jüri Ratas explained at a government press conference that evening that the Czech researchers who had initially discovered the security risk affecting all ID cards issued in Estonia beginning Oct. 16, 2014, including national IDs and the ID cards issued to Estonian e-residents, had published their research in full that week, which increased the risk of the vulnerable ID cards being exploited to a critical level.
ID cards issued prior to Oct. 16, 2014 used a different kind of chip and are not affected by the current risk; also unaffected are ID cards issued beginning at the end of last month.
According to the RIA, more than 272,000 people had updated their certificates by late Monday evening.
Editor: Aili Vahtla