Cyber-lollygagging cost the state millions

It is likely that the Police and Border Guard Board (PPA) will have to swallow its words and write off a large part of its €20-million claim against ID-card manufacturer Gemalto in the coming weeks.

«Hi, P. I met R. today, and he told me you have a very interesting new topic. Could we meet, and are you willing to give me more information? Best wishes, S.» This is part of a high-ranking state official’s letter to an entrepreneur who had been manufacturing ID-cards for Estonia for over ten years.

These few sentences were the start of acknowledging the greatest crisis the Estonian e-state has seen. A crisis in which the state had to race against the clock to make sure the description of a security vulnerability in the Estonian ID-card discovered by Czech researchers would not reach the public and criminals.

Treacherous date

The letter also marks a very serious problem for Estonian officials and could become the decisive element in a dispute between the PPA and ID-card manufacturer Gemalto. The letter is dated June 15, 2017. That was two months before the PPA notified the public of the vulnerability and admitted that 800,000 cards would need to be replaced before a security patch could be finished.

The person named R. in the letter is a police officer who had a routine meeting with Gemalto that morning. If University of Tartu researcher Arnis Parshovs had managed to falsify the signature of an Estonian ID-card-holder in May and the matter was firmly on the agenda, now, Czech scientists had discovered an even more disturbing risk: digital signatures of a lot of ID-cards issued in Estonia could be falsified with enough computing power.

ID-card chip manufacturer Infineon had told Gemalto of the Czech discovery over Skype a day before. It was discussed during a meeting, and a phone call lasting five minutes and 18 seconds between Gemalto representative Andres Lehmann and head of the State Information System’s Authority (RIA) ID Department Margus Arm took place on the evening of June 15.

The situation became even more critical four days later, on June 19: RIA and the technical supervision authority received independent letters from different sources, according to which Austria had shut down all ID-cards that sported a configuration similar to those of Estonian cards because of a security risk concerning digital signatures on June 9.

Postimees has access to all of these letters. There can be no doubt that Estonia should have acted immediately; our entire society is based on the security of e-identity. Parshov’s successful attempt at falsifying a digital signature had been successfully kept under wraps – Postimees made it public in early December – however, any incident beyond that would upend our entire digital state.

Infineon had already informed Gemalto that Czech researchers plan to publish their findings in fall.

The corporation and the small digital country decided to keep quiet and do nothing. No software updates, no preparations for replacing faulty cards, no contact with the Czechs. There was not enough concrete information – that is what the parties say in hindsight, while it is also believed vital information was simply missed, either out of incompetence or knowingly.

The exact reasons for the summer’s lollygagging will likely never leave the PPA’s meeting rooms. Still. Estonia’s first EU Council presidency was just two weeks away and the impregnability of the walls of the digital state were among its main topics.

Valuable delay

It was likely a strategic decision aimed at protecting the state’s reputation, while Gemalto could have been pondering the hit its bottom line would take should it prove necessary to replace the cards.

It is very likely this that led to the conscious silence that ended up costing Estonia and its reputation a great deal. At least €4 million in direct expenses plus at least as much on workhours replacing cards.

The silence only ended in August when Masaryk University researcher Petr Svenda got to talking with his former work partner, RIA employee Martin Paljak with whom he had a good relationship.

The Czech couldn’t help but wonder why Estonia still hadn’t done something about its ID-cards. Let’s review: chip manufacturer Infineon had been notified of the discovery on February 1. Infineon informed Gemalto on June 14 that in turn notified the Estonian authorities a day later. Austria had shut down its cards on June 9 and informed Estonia of the decision through various channels.

«We contacted CERT (a unit of RIA – ed.) on August 30, but we did not know whether they already had a plan or were in fact aware of the situation. We were not sure whether it was necessary to contact them. However, I knew Martin Paljak from a code development project we worked on together and some beers we had shared some years prior,» Svenda later said.

Out of court

It was Paljak who suggested the scientists send CERT more specific data on their discovery which is what they did on August 30. What followed was the ID-card crisis, whereas the most peculiar aspect is that the state chose placing the blame on its partner Gemalto as its PR strategy – as if there had been no communication regarding the vulnerability in June. A claim of €20 million was immediately filed against the company. Very little remains of that original claim by today.

Information available to Postimees suggests the PPA and Gemalto have reached an agreement for a compromise to be signed in September that will end all three major disputes. It will see Gemalto withdraw its suit against the PPA’s ID-card procurement for the coming period, the PPA withdraw its claim over another minor ID-card fault and finally Gemalto agree to compensate Estonia for half of the direct expenses of the ID-card crisis – around €1.5 million.

The only thing the sides still do not agree on is how on Earth did the PPA manage to spend €1.5 million on overtime of officials during the period of replacing faulty ID-cards. The police did not have to procure software solutions and the money could only have been spent on operatives. Did PPA employees only take taxis to work and ordered lunch from top restaurants?

The sides make no secret of the fact they are tired of the dispute. Gemalto wants to leave with its dignity and without issuing public comments to continue its multi-billion-euro business everywhere except tiny Estonia. It will likely agree to pay the PPA a million euros to that end.

The police seem to agree. «We have been looking for a solution for over a year now, and it is time to move on,» said Kaija Kirch, senior expert at the PPA’s identity and statuses bureau. She said that a decision is expected in the near future.

«We will decide in September whether it is possible to reach an agreement with Gemalto regarding compensation for damages or whether we will file a claim. This concerns the 750,000 ID-cards with the security vulnerability and cards the secure key of which was generated outside the cards,» Kirch said.

That is to say the PPA is looking for a compromise and will not be demanding the return of half of the €40-million contract as was the agency’s initial plan.

The reason is very likely that the PPA cannot prove Gemalto is to blame for the vulnerability discovered by Czech scientists. As we now know, all involved parties had relevant information in June.

Scientists from the Czech Republic discovered that a security fault with Infineon chips makes it possible to use the public key of ID-card certificates to calculate private key values and steal the user’s identity. While this would take 6,442,450,944,000,000 vCPU years in the conditions of a normal 2,048-bit key, it would only take 140 vCPU years or less in case of powerful render farms in case of Infineon chips.
If you notice an error, highlight the text you want and press Ctrl + Enter to report it to the editor
3 views in december
I recommend
No recommendations yet


Post your comment to communicate and discuss this article.

Estonia's biggest banks are reminding their customers ahead of the upcoming holidays that interbank transfers will be significantly affected by the upcoming Christmas holidays — even beginning as soon as this weekend. Swedbank announced that if an interbank transfer has not been completed by the end of the business day on Friday, 21 December, the money sent will only be received by the other bank next Thursday, 27 December. SEB and LHV both noted that they...
In a doctoral thesis successfully defended at Tallinn University (TLÜ) on Monday, Dr Maarja Merivoo-Parro examined what Estonian life was like in the Cold War-era United States and how this manifested in humor, music, education, recreation and academic mobility. Following the abolishment of serfdom, Estonians have been involved in a number of significant waves of migration, both voluntary and involuntary. It is due to this migration that Estonians have a w...
At the Riigikogu sitting beginning at 10:00 EET on Tuesday, Prime Minister Jüri Ratas (Centre) will provide an overview of the activities of the Estonian government in the implementation of EU policies. Chairman of the European Union Affairs Committee of the Riigikogu Toomas Vitsut (Centre) will also deliver a report, and representatives of the Riigikogu's parliamentary groups will present their positions, according to a Riigikogu press release. In his rep...
Chairman of the opposition Conservative People's Party of Estonia (EKRE) Mart Helme has called on Helir-Valdor Seeder, chairman of junior coalition member Pro Patria to tie the latter's support for the state budget bill to a decision by the government not to support joining the UN Global Compact on Migration. "Pro Patria still has the chance to demand from its coalition partners [the Center Party and the Social Democratic Party (SDE)] that its stances be t...
Political news portal Politico published its list of the most influential people in Europe next year last week, with fifth place going to Estonia’s cybersecurity ambassador Heli Tiirmaa-Klaar. Tiirmaa-Klaar takes her place in between well-known Europeans, after Secretary General of the European Commission Martin Selmayr and in front of Ukrainian presidential hopeful Yulia Tymoshenko. Politico believes Italy’s populist interior minister Matteo Salvini will...
Representatives of the transport ministries of the Baltic states, Finland and Poland who met in Tallinn on Monday were of differing opinions regarding whether to remain in summer or winter time once the practice of changing the clocks twice per year comes to an end. A recent survey indicates that more than half of Estonians would prefer permanent summer time. Estonia, Latvia, Lithuania, Finland and Poland jointly acknowledged that the agreement to end the...
Ida-Viru Central Hospital is having trouble with patients not showing up to scheduled specialist appointments. To combat this issue, beginning next year, the hospital will start charging visit fees for no-show appointments as well. Last year, patients at Ida-Viru Central Hospital failed to show up for scheduled appointments a total of nearly 9,500 times, accounting for some 5% of all hospital visits, reported ETV news broadcast Aktuaalne kaamera. "Patients...
Tallinn city government finds that it is not reasonable to relocate the Tallinn Bus Station to the Ülemiste district near Tallinn Airport and that it should be left in its current location on Lastekodu Street. In connection with the preparation of an architectural idea competition and the drawing up of a detailed plan for the Ülemiste terminal in the framework of the Rail Baltic railway project, the city is drawing the attention of the Ministry of Economic...
A criminal investigation has been launched into the Medita Clinic, one of the largest private sector bidders in public procurement tenders in the health sector in Estonia. The Northern District Prosecutor's Office initiated the investigation in accordance with the Penal Code section concerning the transmission of false information, according to ETV investigative show Pealtnägija. The Medita Clinic was the largest private provider of specialist medical care...