Cyber-lollygagging cost the state millions

It is likely that the Police and Border Guard Board (PPA) will have to swallow its words and write off a large part of its €20-million claim against ID-card manufacturer Gemalto in the coming weeks.

«Hi, P. I met R. today, and he told me you have a very interesting new topic. Could we meet, and are you willing to give me more information? Best wishes, S.» This is part of a high-ranking state official’s letter to an entrepreneur who had been manufacturing ID-cards for Estonia for over ten years.

These few sentences were the start of acknowledging the greatest crisis the Estonian e-state has seen. A crisis in which the state had to race against the clock to make sure the description of a security vulnerability in the Estonian ID-card discovered by Czech researchers would not reach the public and criminals.

Treacherous date

The letter also marks a very serious problem for Estonian officials and could become the decisive element in a dispute between the PPA and ID-card manufacturer Gemalto. The letter is dated June 15, 2017. That was two months before the PPA notified the public of the vulnerability and admitted that 800,000 cards would need to be replaced before a security patch could be finished.

The person named R. in the letter is a police officer who had a routine meeting with Gemalto that morning. If University of Tartu researcher Arnis Parshovs had managed to falsify the signature of an Estonian ID-card-holder in May and the matter was firmly on the agenda, now, Czech scientists had discovered an even more disturbing risk: digital signatures of a lot of ID-cards issued in Estonia could be falsified with enough computing power.

ID-card chip manufacturer Infineon had told Gemalto of the Czech discovery over Skype a day before. It was discussed during a meeting, and a phone call lasting five minutes and 18 seconds between Gemalto representative Andres Lehmann and head of the State Information System’s Authority (RIA) ID Department Margus Arm took place on the evening of June 15.

The situation became even more critical four days later, on June 19: RIA and the technical supervision authority received independent letters from different sources, according to which Austria had shut down all ID-cards that sported a configuration similar to those of Estonian cards because of a security risk concerning digital signatures on June 9.

Postimees has access to all of these letters. There can be no doubt that Estonia should have acted immediately; our entire society is based on the security of e-identity. Parshov’s successful attempt at falsifying a digital signature had been successfully kept under wraps – Postimees made it public in early December – however, any incident beyond that would upend our entire digital state.

Infineon had already informed Gemalto that Czech researchers plan to publish their findings in fall.

The corporation and the small digital country decided to keep quiet and do nothing. No software updates, no preparations for replacing faulty cards, no contact with the Czechs. There was not enough concrete information – that is what the parties say in hindsight, while it is also believed vital information was simply missed, either out of incompetence or knowingly.

The exact reasons for the summer’s lollygagging will likely never leave the PPA’s meeting rooms. Still. Estonia’s first EU Council presidency was just two weeks away and the impregnability of the walls of the digital state were among its main topics.

Valuable delay

It was likely a strategic decision aimed at protecting the state’s reputation, while Gemalto could have been pondering the hit its bottom line would take should it prove necessary to replace the cards.

It is very likely this that led to the conscious silence that ended up costing Estonia and its reputation a great deal. At least €4 million in direct expenses plus at least as much on workhours replacing cards.

The silence only ended in August when Masaryk University researcher Petr Svenda got to talking with his former work partner, RIA employee Martin Paljak with whom he had a good relationship.

The Czech couldn’t help but wonder why Estonia still hadn’t done something about its ID-cards. Let’s review: chip manufacturer Infineon had been notified of the discovery on February 1. Infineon informed Gemalto on June 14 that in turn notified the Estonian authorities a day later. Austria had shut down its cards on June 9 and informed Estonia of the decision through various channels.

«We contacted CERT (a unit of RIA – ed.) on August 30, but we did not know whether they already had a plan or were in fact aware of the situation. We were not sure whether it was necessary to contact them. However, I knew Martin Paljak from a code development project we worked on together and some beers we had shared some years prior,» Svenda later said.

Out of court

It was Paljak who suggested the scientists send CERT more specific data on their discovery which is what they did on August 30. What followed was the ID-card crisis, whereas the most peculiar aspect is that the state chose placing the blame on its partner Gemalto as its PR strategy – as if there had been no communication regarding the vulnerability in June. A claim of €20 million was immediately filed against the company. Very little remains of that original claim by today.

Information available to Postimees suggests the PPA and Gemalto have reached an agreement for a compromise to be signed in September that will end all three major disputes. It will see Gemalto withdraw its suit against the PPA’s ID-card procurement for the coming period, the PPA withdraw its claim over another minor ID-card fault and finally Gemalto agree to compensate Estonia for half of the direct expenses of the ID-card crisis – around €1.5 million.

The only thing the sides still do not agree on is how on Earth did the PPA manage to spend €1.5 million on overtime of officials during the period of replacing faulty ID-cards. The police did not have to procure software solutions and the money could only have been spent on operatives. Did PPA employees only take taxis to work and ordered lunch from top restaurants?

The sides make no secret of the fact they are tired of the dispute. Gemalto wants to leave with its dignity and without issuing public comments to continue its multi-billion-euro business everywhere except tiny Estonia. It will likely agree to pay the PPA a million euros to that end.

The police seem to agree. «We have been looking for a solution for over a year now, and it is time to move on,» said Kaija Kirch, senior expert at the PPA’s identity and statuses bureau. She said that a decision is expected in the near future.

«We will decide in September whether it is possible to reach an agreement with Gemalto regarding compensation for damages or whether we will file a claim. This concerns the 750,000 ID-cards with the security vulnerability and cards the secure key of which was generated outside the cards,» Kirch said.

That is to say the PPA is looking for a compromise and will not be demanding the return of half of the €40-million contract as was the agency’s initial plan.

The reason is very likely that the PPA cannot prove Gemalto is to blame for the vulnerability discovered by Czech scientists. As we now know, all involved parties had relevant information in June.

Scientists from the Czech Republic discovered that a security fault with Infineon chips makes it possible to use the public key of ID-card certificates to calculate private key values and steal the user’s identity. While this would take 6,442,450,944,000,000 vCPU years in the conditions of a normal 2,048-bit key, it would only take 140 vCPU years or less in case of powerful render farms in case of Infineon chips.
If you notice an error, highlight the text you want and press Ctrl + Enter to report it to the editor
I recommend
No recommendations yet


Post your comment to communicate and discuss this article.

Chairman of the Estonian Chamber of Commerce and Industry and one of the owners of construction group Nordecon, Toomas Luman, finds that a prime ministerial candidate should first and foremost be able to answer the question of what will become of the demographic crisis in Estonia. The businessman sees controlled introduction of foreign labor as the solution. A digital construction cluster was created in Estonia a few years back to bring innovation to the s...
Last year saw 27,125 registered offenses, up 0.5 percent from the year before. Violent crime was up by 12 percent to 8,249 offenses. PHOTO: Dominic Lipinski / PA Wire / Press Association Images / Scanpix Growth was biggest for domestic violence – the police launched criminal proceedings in 3,607 cases that constitutes an increase of more than one-third – annual growth of 37 percent from 2,632 cases in 2017. At the same time, reports of domestic violence we...
TALLINN - Ahead of the withdrawal of the United Kingdom from the European Union, tens of thousands of British citizens have chosen the citizenship of some other country, but only one Brit has recently chosen an Estonian citizenship. Spokespeople for the Ministry of the Interior told BNS that only one British citizen submitted an application for Estonian citizenship last year and the applicant was also granted the citizenship. Before that, no Brits had soug...
TALLINN - Experts from Finland, Denmark, Norway and the Netherlands highlighted the importance of decentralization and granting local governments greater decision-making powers at a conference titled "Strong local government -- strong state?" in Tallinn on Wednesday.  All Nordic countries have chosen a model granting local governments significant decision-making powers, thus the central government does not prescribe how local governments are to fulfill the...
The language learning application Drops by game developer Planb Labs, established in Estonia by Hungarian founders, was named Google Play's best app of 2018. With the number of downloads surpassing 10 million, Drops was named Google's app of the year as the revenue of Planb Labs, a company registered in Estonia, increased fivefold, CNBC said. The developer's revenue grew from €335,000 in 2017 to €1.7 million in 2018. The company's shareholders include Hung...
TALLINN - The Estonian Health Board has banned the distribution of chlorine dioxide, also marketed as the Miracle Mineral Supplement (MMS), the A-component of an unused product, meaning the sodium chlorite solution, must be taken to a hazardous waste collection facility. Ester Opik, head of the Health Board's North regional department, said that the banning of the distribution of the product was caused by the fact that MMS, distributed as a cosmetics produ...
Nature cannot abide a vacancy, as the saying goes. If just one year ago, Estonia was battling the sale of MMS and the practice of giving it to children, a new “miracle cure” called Advanced TRS has appeared on the market now. Even though the make-up of the substance is different, the promise to cure autism and cleanse the body of heavy metals, which kind of extreme detox is accompanied by severe side-effects, sounds all too familiar. TRS is recommended to...
Allied NATO battalions will soon mark two years serving in the Baltics. They have worked better than expected but would need prepositioned heavy weaponry and a functional contingency plan in case of a crisis, a report by the International Center for Defense and Security (ICDS) finds. “We do not know how Russia would have acted had we not welcomed allies in Estonia, Latvia, Lithuania and Poland in 2017. I’m afraid they would have tested our resolve,” one of...
The time of filing income tax returns is nearly upon us. The new income tax system, in effect since last year, will obligate many women who went on maternity leave toward the end of the year to make additional income tax payments, while those who give birth in the middle or at the beginning of the year have no such obligation. What this means is that some women will owe the state simply for giving birth “at the wrong time”. Laura Roop, who went on maternit...