New ID-card fault could have been intentional

Manufacturer of Estonian ID-cards Gemalto ignored security requirements, find experts who proved the latest security fault. To avoid long queues, machines were programmed to generate ID-card encryption keys in a less secure way. The manufacturer denies wrongdoing but could be looking at a lawsuit.

The Estonian ID-card was hit by its second security scandal inside the past year when the State Information System’s Authority (RIA) and the Police and Border Guard Board (PPA) revealed that the secret encryption keys of more than 70,000 ID-cards have been generated outside the chip and transferred onto the cards.

There are some 12,500 such cards still out there today. People will be given two more weeks in which to replace the cards after which their certificates will be revoked, and the cards can no longer be used to access e-services.

RIA was told about the vulnerability in February of last year when University of Tartu researcher Arnis Paršovs shared the results of his analysis with the agency.

Paršovs came across two ID-cards sporting similar public keys. That is in conflict with the fundamentals of ID-card security policy which led to the suspicion that keys could only have been generated outside chips.

“It is a procedural mistake pure and simple,” said head of the eID department at RIA, Margus Arm. It turned out that chip manufacturer Gemalto had set up the PPA’s machines to generate keys outside chips.

A stolen key would give the perpetrator a theoretical chance to enter e-services without the victim’s ID-card or PIN numbers. No such cases have been reported.

To save time

Verifying the vulnerability took nearly 18 months as RIA did not take Paršovs at his word. Last summer saw the ID-card security crisis when a group of Czech scientists found the widely used chip suffered from the so-called ROCA weakness. When the vulnerability was addressed a few months later, RIA tasked its partner AS Cybernetica with verifying Paršovs’ claim. Cybernetica and University of Tartu researchers found that the keys of 74,581 ID-cards had been generated outside the chip.

Cybernetica CDO Arne Ansper said that Paršovs, like the Czech researchers, looked at public keys of the Estonian ID-card to find uniformity. It is possible to determine which device or program generated the public key just by looking at it.

“The most interesting thing was that some public keys matched one for one. Two cards being able to generate the exact same key cannot be explained,” Ansper said.

Next, Cybernetica analyzed public keys using statistical methods and discovered a set of similar characteristics with chips from the generation before last that had been updated at PPA service bureaus. Estonia’s contract with the manufacturer states that keys must be generated on the chip and that private encryption keys must never leave it.

“In the cases we found, the chance that keys were generated by the cards themselves was microscopic. That is why it is as good as certain that the keys have not been generated on the cards,” Ansper explained.

What happened? Ansper said it is likely Gemalto had programmed the system to generate keys outside chips during that period.

“It probably followed some sort of practical consideration, perhaps to save time. Generating the keys outside the card can probably be done relatively quickly. Having the chip do it could take quite a bit of time,” he said.

Generating the private keys on the chips can take minutes, but it can also take much longer depending on the situation. It seems that Gemalto was able to fix the bottleneck after 2014 and no more keys were generated outside chips.

This recent vulnerability is very different from the fault found by Czech scientists. The cards that sport the weakness are not in risk of being hacked. It is only possible to steal that faulty key.

New lawsuit in the air

Ansper said that it is impossible to speculate whether any weak keys have been stolen. “There might be no such keys. It would take a very thorough investigation to determine something like that. Frankly, I do not even know whether it would be possible,” he added.

Director General of RIA Taimar Peterkop said that the agency has been aware of a potential security fault from the beginning of last year, and that it has been very difficult to move forward with this knowledge.

“It has constantly been at the back of my mind; I’ve been losing sleep over it from last February,” Peterkop said. He added that there are no new ID-card security issues on the agency’s radar.

The PPA has filed a new claim for damages with Gemalto over the fault. The agency’s document expert Kaija Kirch said that the company replied yesterday that it does not recognize the violation or accept the claim. The PPA and RIA do not rule out suing Gemalto over the former and recent security faults.

“We filed a claim when we had finished our initial analysis. They replied late yesterday evening and denied everything. They have not said anything else,” Kirch said. She is not at liberty to disclose the volume of the claim.

Margus Arm said that the analysis suggests the fault lied with the process Gemalto had created. “We find that we hit the wall every time we talk to the manufacturer. They say nothing of the sort has happened,” Arm said.

The PPA has also carried out a service audit. It found that the agency had no idea the manufacturer was generating keys outside chips.

“We also have no reason to believe that affected cards have been misused or that someone has access to their private keys. While it is theoretically possible, there are no signs of any incidents at this time,” the police communicated.

Gemalto will continue to manufacture ID-card chips until the end of this year. Postimees contacted the company’s representative for comments but did not receive a reply by the time the article went to print.

Read also more news of Tallinn here.

news.postimees.ee
gemalto ID_card
If you notice an error, highlight the text you want and press Ctrl + Enter to report it to the editor
I recommend
No recommendations yet

Comments

Post your comment to communicate and discuss this article.

Politics
Chairman of the Estonian Chamber of Commerce and Industry and one of the owners of construction group Nordecon, Toomas Luman, finds that a prime ministerial candidate should first and foremost be able to answer the question of what will become of the demographic crisis in Estonia. The businessman sees controlled introduction of foreign labor as the solution. A digital construction cluster was created in Estonia a few years back to bring innovation to the s...
Society
Last year saw 27,125 registered offenses, up 0.5 percent from the year before. Violent crime was up by 12 percent to 8,249 offenses. PHOTO: Dominic Lipinski / PA Wire / Press Association Images / Scanpix Growth was biggest for domestic violence – the police launched criminal proceedings in 3,607 cases that constitutes an increase of more than one-third – annual growth of 37 percent from 2,632 cases in 2017. At the same time, reports of domestic violence we...
Society
TALLINN - Ahead of the withdrawal of the United Kingdom from the European Union, tens of thousands of British citizens have chosen the citizenship of some other country, but only one Brit has recently chosen an Estonian citizenship. Spokespeople for the Ministry of the Interior told BNS that only one British citizen submitted an application for Estonian citizenship last year and the applicant was also granted the citizenship. Before that, no Brits had soug...
Society
TALLINN - Experts from Finland, Denmark, Norway and the Netherlands highlighted the importance of decentralization and granting local governments greater decision-making powers at a conference titled "Strong local government -- strong state?" in Tallinn on Wednesday.  All Nordic countries have chosen a model granting local governments significant decision-making powers, thus the central government does not prescribe how local governments are to fulfill the...
Society
The language learning application Drops by game developer Planb Labs, established in Estonia by Hungarian founders, was named Google Play's best app of 2018. With the number of downloads surpassing 10 million, Drops was named Google's app of the year as the revenue of Planb Labs, a company registered in Estonia, increased fivefold, CNBC said. The developer's revenue grew from €335,000 in 2017 to €1.7 million in 2018. The company's shareholders include Hung...
Society
TALLINN - The Estonian Health Board has banned the distribution of chlorine dioxide, also marketed as the Miracle Mineral Supplement (MMS), the A-component of an unused product, meaning the sodium chlorite solution, must be taken to a hazardous waste collection facility. Ester Opik, head of the Health Board's North regional department, said that the banning of the distribution of the product was caused by the fact that MMS, distributed as a cosmetics produ...
Society
Nature cannot abide a vacancy, as the saying goes. If just one year ago, Estonia was battling the sale of MMS and the practice of giving it to children, a new “miracle cure” called Advanced TRS has appeared on the market now. Even though the make-up of the substance is different, the promise to cure autism and cleanse the body of heavy metals, which kind of extreme detox is accompanied by severe side-effects, sounds all too familiar. TRS is recommended to...
Society
Allied NATO battalions will soon mark two years serving in the Baltics. They have worked better than expected but would need prepositioned heavy weaponry and a functional contingency plan in case of a crisis, a report by the International Center for Defense and Security (ICDS) finds. “We do not know how Russia would have acted had we not welcomed allies in Estonia, Latvia, Lithuania and Poland in 2017. I’m afraid they would have tested our resolve,” one of...
Society
The time of filing income tax returns is nearly upon us. The new income tax system, in effect since last year, will obligate many women who went on maternity leave toward the end of the year to make additional income tax payments, while those who give birth in the middle or at the beginning of the year have no such obligation. What this means is that some women will owe the state simply for giving birth “at the wrong time”. Laura Roop, who went on maternit...