Estonia is a progressive country when it comes to the use of technology. It is an early adopter
of innovative technology to make their population digital citizens.
As with anything new there are challenges to overcome and for Estonia there is one such challenge. At the end of August 2017, the Estonian Information System Authority (RIA) was informed of a vulnerability which impacts the 750,000 issued digital ID cards. Including their e-residents cards, the weakness exist in all ID-cards issued as far back as October 2014. Residence cards are issued for investors and entrepreneurs from other countries with business with no fixed location -the so called ‘Digital Nomad’.
The risk is that the vulnerability could theoretically have led to identity thefts of Estonian citizens and also e-residents.
The cards contain a chip manufactured by the Germany chipmaker, Infineon Technologies AG. The card’s security relies on an RSA keypair to secure its contents and provide digital signature.
The problem at the heart of this is the implementation of RSA keypair generation. RSA is an encryption method that uses two keys, a private key and a public key. The two keys are related but having one does not mean you can deduce the other. It uses an asymmetric cryptographic algorithm with a premise that even if the two keys are related, obtaining the public key would not reveal the private key.
In the RSA implementation of Infineon chip, this fundamental principal is broken. By merely having the public key allows one to compute the private key. This breaks everything and renders the card useless. It allows hackers to then use the private key to impersonate private key holders (i.e. card holders in this case) but also decrypt sensitive data. It could also circumvent the trusted platform module (TPM) in PC and laptops or allows the bad guys to embed malware into digitally signed software.
This weakness is the much talked about ROCA vulnerability, CVE-2017-15361
The usage of the Infineon is not limited to Estonia however. Google Chromebooks, HP, Lenovo and Fujitsu PCs and laptops, alongside routers and other devices are all affected as they use similar chipset.
ID cards are becoming more popular and more centralised. The lesson learned from Estonia should serve as a guide to others. Early adopting nations should request the manufacturers to put their solution to third-party security review of the technology or some academic researcher under NDA to a) examine the technology and b) verify independently that it can be trusted. This is not easy but it is the only way forward as a lot is at stake.