Cyber-lollygagging cost the state millions

It is likely that the Police and Border Guard Board (PPA) will have to swallow its words and write off a large part of its €20-million claim against ID-card manufacturer Gemalto in the coming weeks.

«Hi, P. I met R. today, and he told me you have a very interesting new topic. Could we meet, and are you willing to give me more information? Best wishes, S.» This is part of a high-ranking state official’s letter to an entrepreneur who had been manufacturing ID-cards for Estonia for over ten years.

These few sentences were the start of acknowledging the greatest crisis the Estonian e-state has seen. A crisis in which the state had to race against the clock to make sure the description of a security vulnerability in the Estonian ID-card discovered by Czech researchers would not reach the public and criminals.

Treacherous date

The letter also marks a very serious problem for Estonian officials and could become the decisive element in a dispute between the PPA and ID-card manufacturer Gemalto. The letter is dated June 15, 2017. That was two months before the PPA notified the public of the vulnerability and admitted that 800,000 cards would need to be replaced before a security patch could be finished.

The person named R. in the letter is a police officer who had a routine meeting with Gemalto that morning. If University of Tartu researcher Arnis Parshovs had managed to falsify the signature of an Estonian ID-card-holder in May and the matter was firmly on the agenda, now, Czech scientists had discovered an even more disturbing risk: digital signatures of a lot of ID-cards issued in Estonia could be falsified with enough computing power.

ID-card chip manufacturer Infineon had told Gemalto of the Czech discovery over Skype a day before. It was discussed during a meeting, and a phone call lasting five minutes and 18 seconds between Gemalto representative Andres Lehmann and head of the State Information System’s Authority (RIA) ID Department Margus Arm took place on the evening of June 15.

The situation became even more critical four days later, on June 19: RIA and the technical supervision authority received independent letters from different sources, according to which Austria had shut down all ID-cards that sported a configuration similar to those of Estonian cards because of a security risk concerning digital signatures on June 9.

Postimees has access to all of these letters. There can be no doubt that Estonia should have acted immediately; our entire society is based on the security of e-identity. Parshov’s successful attempt at falsifying a digital signature had been successfully kept under wraps – Postimees made it public in early December – however, any incident beyond that would upend our entire digital state.

Infineon had already informed Gemalto that Czech researchers plan to publish their findings in fall.

The corporation and the small digital country decided to keep quiet and do nothing. No software updates, no preparations for replacing faulty cards, no contact with the Czechs. There was not enough concrete information – that is what the parties say in hindsight, while it is also believed vital information was simply missed, either out of incompetence or knowingly.

The exact reasons for the summer’s lollygagging will likely never leave the PPA’s meeting rooms. Still. Estonia’s first EU Council presidency was just two weeks away and the impregnability of the walls of the digital state were among its main topics.

Valuable delay

It was likely a strategic decision aimed at protecting the state’s reputation, while Gemalto could have been pondering the hit its bottom line would take should it prove necessary to replace the cards.

It is very likely this that led to the conscious silence that ended up costing Estonia and its reputation a great deal. At least €4 million in direct expenses plus at least as much on workhours replacing cards.

The silence only ended in August when Masaryk University researcher Petr Svenda got to talking with his former work partner, RIA employee Martin Paljak with whom he had a good relationship.

The Czech couldn’t help but wonder why Estonia still hadn’t done something about its ID-cards. Let’s review: chip manufacturer Infineon had been notified of the discovery on February 1. Infineon informed Gemalto on June 14 that in turn notified the Estonian authorities a day later. Austria had shut down its cards on June 9 and informed Estonia of the decision through various channels.

«We contacted CERT (a unit of RIA – ed.) on August 30, but we did not know whether they already had a plan or were in fact aware of the situation. We were not sure whether it was necessary to contact them. However, I knew Martin Paljak from a code development project we worked on together and some beers we had shared some years prior,» Svenda later said.

Out of court

It was Paljak who suggested the scientists send CERT more specific data on their discovery which is what they did on August 30. What followed was the ID-card crisis, whereas the most peculiar aspect is that the state chose placing the blame on its partner Gemalto as its PR strategy – as if there had been no communication regarding the vulnerability in June. A claim of €20 million was immediately filed against the company. Very little remains of that original claim by today.

Information available to Postimees suggests the PPA and Gemalto have reached an agreement for a compromise to be signed in September that will end all three major disputes. It will see Gemalto withdraw its suit against the PPA’s ID-card procurement for the coming period, the PPA withdraw its claim over another minor ID-card fault and finally Gemalto agree to compensate Estonia for half of the direct expenses of the ID-card crisis – around €1.5 million.

The only thing the sides still do not agree on is how on Earth did the PPA manage to spend €1.5 million on overtime of officials during the period of replacing faulty ID-cards. The police did not have to procure software solutions and the money could only have been spent on operatives. Did PPA employees only take taxis to work and ordered lunch from top restaurants?

The sides make no secret of the fact they are tired of the dispute. Gemalto wants to leave with its dignity and without issuing public comments to continue its multi-billion-euro business everywhere except tiny Estonia. It will likely agree to pay the PPA a million euros to that end.

The police seem to agree. «We have been looking for a solution for over a year now, and it is time to move on,» said Kaija Kirch, senior expert at the PPA’s identity and statuses bureau. She said that a decision is expected in the near future.

«We will decide in September whether it is possible to reach an agreement with Gemalto regarding compensation for damages or whether we will file a claim. This concerns the 750,000 ID-cards with the security vulnerability and cards the secure key of which was generated outside the cards,» Kirch said.

That is to say the PPA is looking for a compromise and will not be demanding the return of half of the €40-million contract as was the agency’s initial plan.

The reason is very likely that the PPA cannot prove Gemalto is to blame for the vulnerability discovered by Czech scientists. As we now know, all involved parties had relevant information in June.

Scientists from the Czech Republic discovered that a security fault with Infineon chips makes it possible to use the public key of ID-card certificates to calculate private key values and steal the user’s identity. While this would take 6,442,450,944,000,000 vCPU years in the conditions of a normal 2,048-bit key, it would only take 140 vCPU years or less in case of powerful render farms in case of Infineon chips.
If you notice an error, highlight the text you want and press Ctrl + Enter to report it to the editor
3 views in january
I recommend
No recommendations yet


Post your comment to communicate and discuss this article.

Even though education is a matter close to the heart of Estonia 200 leader Kristina Kallas, she cannot imagine herself fighting for the post of education minister: ideas can also be realized by someone else. You just took away Postimees’ editor-in-chief. In your opinion, how is the editorial to feel? Lauri [Hussar] had to give the matter thought, and I presume he did. We talked about why he wants to go into politics. Still, to what extent do you imagine wh...
TALLINN – Russia is seeking integration in Estonia only in words, Kalev Stoicescu, researcher at the International Center for Defense and Security (ICDS) who is running on the ticket of the Estonia 200 party in the March 3 general elections, said on Wednesday commenting on the words said on the subject by Russian Foreign Minister Sergey Lavrov.  "Russia is the only neighboring state which does not wish -- due to its own interests -- progress in integration...
Former top centrist Evelyn Sepp admitted that she donated money the origin of which was unknown to her to the Center Party in 2006. The former politician claimed other members also engaged in the practice but refused to name names. Sepp’s confession on ETV investigative journalism program «Pealtnägija» does not come as a total bombshell. She first said that such covert funding of parties is a widespread practice in the aftermath of the Silvergate scandal i...
"In addition to our ongoing programme of passenger vessel renovations, we are also continuing to upgrade and modernise our cargo vessels to ensure that we continue to develop this important part of our business," he noted, adding that the relocation of the company's Estonia-Finland cargo route to Muuga on the Estonian side in October 2017 and the launch of the Smart Port solution in Tallinn's Old City Harbour in spring 2018 both contributed to improved ser...
During the final week of 2018, a total of 2,524 patients with viral upper respiratory infections sought medical attention, 47.5% of whom were children. A total of 210 cases of influenza were laboratory confirmed, nearly twice as many as during the week before, according to Health Board data. Over the past two weeks, the number of flu cases has quadrupled. The majority of these cases were laboratory confirmed at emergency medical departments, from which pat...
I actually think that B1 is too low of a bar for attaining citizenship. You still can't participate in Estonian society on anything other than a superficial level as noted above, so I'm not sure how you can constitute a "citizen" on that basis. Naturally there has to be a high degree of arbitrariness, and that's precisely the point — whilst B1 level might be sufficient in German or French (I understand that it is the benchmark level when applying for citiz...
Following a white Christmas throughout most of Estonia, Wednesday will see sleet and even rain in parts of the country, and temperatures hovering around the freezing point will means slippery road conditions. Early Wednesday morning, many major highways were salted or wet, but some patches were still icy, the Estonian Road Administration said. Eastern parts of the country will see scattered rain or sleet. Temperatures throughout the day will remain around...
Last weekend, Christmas Eve as well as Christmas Day and Boxing Day still ahead means that most chemist's shops are closed for five days in a row. Tallinners can still get hold of prescription as well as over-the-counter drugs in the 5 Tõnismägi St and 19 Vikerlase St shops. As doctors' practices are closed for the holidays as well, people will have to turn to the emergency room of a nearby hospital in case of any more serious health problems. In Tallinn,...
Irene Ilves, the mother of former President Toomas Hendrik Ilves, died on Tuesday aged 91. Irene Ilves was born on 6 January 1927. An Estonian refugee, she raised her family in New Jersey, on the US East Coast. She is survived by two sons, Andres Eerik and Toomas Hendrik, and four grandchildren, Juulia Kristiine, Luukas Kristjan, Kadri Keiu and Hans Hendrik, Mr Ilves wrote on social media on Wednesday, adding that she will be very missed by family and frie...