Hackers could have made digital clones

If the ID-card security risk Prime Minister Jüri Ratas turned into news yesterday would materialize, it would allow hackers willing to spend the money to create digital clones of Estonian residents.

The information security incidents department (CERT) of the State Information System’s Authority (RIA) received a letter Wednesday last that started a few hundred leading Estonian IT experts for a week and robbed more than one ministry executive of rest - postimees.ee.

A group of international scientists from a European country described a series of four to five moves that could theoretically allow criminals to clone the identity of an Estonian ID-card-holder.

The scientists were not looking at the Estonian ID-card or even its technology, but rather at one of the chips manufactured by Swiss company Gemalto AG. While the chip in question has several applications, the lion’s share lie at the heart of Estonian ID-cards. The device is used in 750,000 ID-cards issued since October 16, 2014. That is when Estonia switched to a new ID-card chip based on latest technology that was faster and presumably safer. Both France and Germany issued security certificates for the new chip.

Let it be said right away that scientists have not managed to brake ID-card encryption but have only proved it to be possible in theory. The group did not hand CERT the entire equation; however, attached materials were sufficient to motivate local security experts to run simulations and contact the team of scientists.

It turned out that the vulnerability concerns a single element of the chip’s inalterable factory software. The weakness manifests when the chip communicates with software built around it for Estonia – whether for reading certificates, their verification, or digital signing.

To understand the complex problem, one needs to know that the digital identity of cardholders is made up of certificates that are in turn made up of public and private keys. It is probable scientists have now demonstrated that it is possible, using relatively modest computational capacity, to deduce the private key from its public counterpart in the digital certificate, which points to a fault in the way the pair of keys is generated by the chip.

No cause for concern for ordinary citizens

Manufacturer of the chips, Gemalto AG, told RIA that the scientists’ assessment of the base software vulnerability is correct. “If someone could clone a digital ID, they could theoretically use the ID-card for identification and digital signing without being in possession of the physical card or PIN numbers,” said technology adviser at RIA Mark Erlich.

Attempts to do so would mean hacking individual ID-cards that requires a lot of work. This means it is impossible to compromise all Estonian ID-cards at once. “Knowledge of the public key is not enough to hack the card – it would require great computational capacity to generate the private key and custom software with which to give digital signatures,” Erlich explained. Estonian ID-card software is not suitable as it requires the presence of the physical card in the card reader. A hacker without the card would have to overcome that obstacle as well.

To be able to sign something under someone else’s identity, hackers would have to break two keys – the one used for signing and the one for authentication.

The Police and Border Guard Board (PPA) closed the public keys database to manage risks yesterday. The database was used for sending encrypted files only the owner of the key could access.

An ordinary Estonian ID-card-holder has relatively little cause for concern. RIA is constantly receiving tips and signals of potential risks. Each one is analyzed, evaluated in terms of severity and feasibility, and primarily how much it would cost hackers to break a single card. “Tampering with ID-cards is extremely complicated and expensive; we do not know of a single case of it having been done,” Erlich said. “Cryptography is a game of probability. Every code can be broken in the future; however, the question is whether anyone is interested in dishing out a million euros to access a pensioner’s bank account or vote for the Reform Party under the assumed identity of the social minister at elections.”

ID-cards with the vulnerability number 750,000, and it is estimated that it would cost €60 billion to hack them all. This means that it would cost €80,000 to hack a single card. It is probable the group of scientists discovered a way to hack the card more cheaply than previously. “We evaluate the level of acceptable risk similarly to how private companies treat credit card security. We ask: what is the theoretical extent of the breach,” said head of the eID department at RIA Margus Arm.

He added that while the price of sheer computational capacity is falling, cryptographic analysis of how to go about the problem remains expensive. “It is so unique that we do not perceive any realistic threat. The danger remains mathematical,” he said.

Analysts told Postimees yesterday that hacking a person’s ID-card just to steal their identity would not pay. Realistic use of the vulnerability would have to be a coordinated attack on Estonia’s reputation.

Solution to be crafted

The fault in the chip’s software cannot be remedied. It can, however, be bypassed. “We are currently working on software that would bypass the problem and in which case the vulnerability does not materialize,” Arm said.

The new application for managing and generating keys should be completed inside the next two months. Cardholders will then have to update their cards with the software and generate new certificates. It will not be necessary to replace ID-cards.

Margus Arm said that Gemalto has not notified the state of intent to manufacture newer chips with better software. That is why Estonia will have to create new ID-card applications to overcome the problem. “Sleep has been scarce since Thursday,” Arm said. “We spent the weekend working, and we’ll continue until we get it done. The estimate by which everything should be fine again is two months.”

Prime Minister Jüri Ratas said all Estonian digital signatures will remain valid everywhere in the EU, and that even officials with access to state secrets have not been instructed to avoid using their ID-cards. Finding the solution will not want in terms of funding; all necessary resources will be provided.

Read more news of Tallinn on our site.

Hackers digitalclones
If you notice an error, highlight the text you want and press Ctrl + Enter to report it to the editor
I recommend
No recommendations yet


Post your comment to communicate and discuss this article.

Chairman of the Estonian Chamber of Commerce and Industry and one of the owners of construction group Nordecon, Toomas Luman, finds that a prime ministerial candidate should first and foremost be able to answer the question of what will become of the demographic crisis in Estonia. The businessman sees controlled introduction of foreign labor as the solution. A digital construction cluster was created in Estonia a few years back to bring innovation to the s...
Last year saw 27,125 registered offenses, up 0.5 percent from the year before. Violent crime was up by 12 percent to 8,249 offenses. PHOTO: Dominic Lipinski / PA Wire / Press Association Images / Scanpix Growth was biggest for domestic violence – the police launched criminal proceedings in 3,607 cases that constitutes an increase of more than one-third – annual growth of 37 percent from 2,632 cases in 2017. At the same time, reports of domestic violence we...
TALLINN - Ahead of the withdrawal of the United Kingdom from the European Union, tens of thousands of British citizens have chosen the citizenship of some other country, but only one Brit has recently chosen an Estonian citizenship. Spokespeople for the Ministry of the Interior told BNS that only one British citizen submitted an application for Estonian citizenship last year and the applicant was also granted the citizenship. Before that, no Brits had soug...
TALLINN - Experts from Finland, Denmark, Norway and the Netherlands highlighted the importance of decentralization and granting local governments greater decision-making powers at a conference titled "Strong local government -- strong state?" in Tallinn on Wednesday.  All Nordic countries have chosen a model granting local governments significant decision-making powers, thus the central government does not prescribe how local governments are to fulfill the...
The language learning application Drops by game developer Planb Labs, established in Estonia by Hungarian founders, was named Google Play's best app of 2018. With the number of downloads surpassing 10 million, Drops was named Google's app of the year as the revenue of Planb Labs, a company registered in Estonia, increased fivefold, CNBC said. The developer's revenue grew from €335,000 in 2017 to €1.7 million in 2018. The company's shareholders include Hung...
TALLINN - The Estonian Health Board has banned the distribution of chlorine dioxide, also marketed as the Miracle Mineral Supplement (MMS), the A-component of an unused product, meaning the sodium chlorite solution, must be taken to a hazardous waste collection facility. Ester Opik, head of the Health Board's North regional department, said that the banning of the distribution of the product was caused by the fact that MMS, distributed as a cosmetics produ...
Nature cannot abide a vacancy, as the saying goes. If just one year ago, Estonia was battling the sale of MMS and the practice of giving it to children, a new “miracle cure” called Advanced TRS has appeared on the market now. Even though the make-up of the substance is different, the promise to cure autism and cleanse the body of heavy metals, which kind of extreme detox is accompanied by severe side-effects, sounds all too familiar. TRS is recommended to...
Allied NATO battalions will soon mark two years serving in the Baltics. They have worked better than expected but would need prepositioned heavy weaponry and a functional contingency plan in case of a crisis, a report by the International Center for Defense and Security (ICDS) finds. “We do not know how Russia would have acted had we not welcomed allies in Estonia, Latvia, Lithuania and Poland in 2017. I’m afraid they would have tested our resolve,” one of...
The time of filing income tax returns is nearly upon us. The new income tax system, in effect since last year, will obligate many women who went on maternity leave toward the end of the year to make additional income tax payments, while those who give birth in the middle or at the beginning of the year have no such obligation. What this means is that some women will owe the state simply for giving birth “at the wrong time”. Laura Roop, who went on maternit...