Estonia has frozen its popular e-residency ID cards because of a massive security flaw

Estonian prime minister Juri Ratas.

caption
Estonian prime minister Juri Ratas.
source
Reuters

    Estonian citizens and overseas “e-residents” rely on digital ID cards for services like banking and online voting. Security researchers revealed the possibility of identity theft due to a security bug in September. Estonia has frozen the cards until their owners update to a new security certificate. A prominent security expert said ID cards pose a national security risk.

Estonia has frozen the digital ID cards for its popular e-residency programme, two months after discovering a major security flaw that could enable identity theft.

The ID cards are used by Estonian citizens and foreign “e-residents” and underpin services like banking, online voting, tax, medical records, and travel. The e-residency programme is also popular with British entrepreneurs who want to set up their company within the EU, particularly after the Brexit vote. According to Wired, more than 1,000 UK entrepreneurs have applied for the programme so far.

Estonia has suspended any ID card issued between 16 October 2014 and 25 November 2017, until its owners have updated to a new security certificate. There’s just one problem: everyone’s trying to update their cards at once, and overseas e-residents have had error messages when trying to update.

Estonia said it had initially prioritised security updates for residents who rely on the cards for banking and other everyday services, but that all e-residents could now access the bug fix. They have until the end of March 2018 to do so.

Kaspar Korjus, managing director for the e-resident programme, wrote:

“We are aware that many citizens, residents and e-residents have been receiving error messages due to the high volume of people updating at the same time.

As a result, the ability to update certificates was temporarily restricted last weekend in order to prioritise people who use their digital ID cards to provide vital services, such as medical professionals inside Estonia, as well as the most frequent users, which will include e-residents that will be notified by email.”

Estonian prime minister Jüri Ratas said there were no known instances of ID theft as a result of the bug.

The Estonian government revealed the original flaw in September, but gave no details. At the time, it said the flaw affected 750,000 ID cards and it closed its public key database as a precautionary measure.

In his more recent blogpost on the bug, Korjus said the issue related to the chip used in the ID card.

He wrote: “[The] danger of the security threat becoming real was increased by the fact that it was not a flaw of the Estonian ID card alone, but also included cards and computer systems around the world that use the chips by the same producer. This brought the safety flaw to the attention of international cybercrime networks which had significant means to take advantage of the situation.”

When Estonia first publicised the problem in September, prominent security writer and expert Bruce Schneier suggested national ID card systems – previously controversial in the UK – could be a national security risk.

“This is exactly the sort of thing I worry about as ID systems become more prevalent and more centralized,” he wrote at the time. “Anyone want to place bets on whether a foreign country is going to try to hack the next Estonian election?”