Estonia releases update on Digital ID card vulnerability
Estonia releases update on Digital ID card vulnerability

The Estonia government issued an update on a vulnerability potentially affecting digital use of ID cards issued since October 2014.

On 30 August, researchers informed the country's government that the vulnerability could facilitate the use of a digital identity for personal identification and digital signing without having the physical card and relevant PIN codes however, noted knowing the public key of the certificate is not enough to unlock the card, according to the 16 October government notice.  

Authorities said it would take expensive computing power to fully exploit the card and that their haven't been any known cases where an attempt has been successful.

“RIA and experts from Estonian research institutes have been involved in mapping the possible reported vulnerability, risk mitigation and solutions,” the notice said. “This has been done in collaboration with partners and service providers.”

The exploit has not been spotted in the wild and researchers say it's important to keep in mind the exploit is still only a proof of concept and would be difficult to exploit.  

“This means that the possibility of doing so on a large scale is very likely impossible,” Thycotic chief security scientist Joseph Carson said. “While the Digital ID Card was affected, it did not affect the Mobile ID which a majority of Estonian's use and the ID card is typically used as a backup or alternative method.”

Carson added the timing of the announcement of the vulnerability with Estonia's Digital ID card was significant due to current local elections taking place in which approximately 30 percent of citizens vote using their Digital Identity.