The Estonia government issued an update on a vulnerability potentially affecting digital use of ID cards issued since October 2014.
On Aug. 30, researchers informed the country’s government that the vulnerability could facilitate the use of a digital identity for personal identification and digital signing without having the physical card and relevant PIN codes. Although knowledge of the certificate’s public key is technically all that’s needed to unlock the card, a Oct. 16, 2017 government notice states that it would take expensive computing power to fully exploit the vulnerability, adding that there haven’t been any known cases where an attempt has been successful.
“RIA and experts from Estonian research institutes have been involved in mapping the possible reported vulnerability, risk mitigation and solutions,” the notice said. “This has been done in collaboration with partners and service providers.”
The exploit has not been spotted in the wild and researchers say it’s important to keep in mind the exploit is still only a proof of concept and would be difficult to exploit.
“This means that the possibility of doing so on a large scale is very likely impossible,” Thycotic Chief Security Scientist Joseph Carson said. “While the Digital ID Card was affected, it did not affect the Mobile ID which a majority of Estonian’s use and the ID card is typically used as a backup or alternative method.”
Carson added the timing of the announcement of the vulnerability with Estonia’s Digital ID card was significant due to current local elections taking place in which approximately 30 percent of citizens vote using their Digital Identity.