Estonia Hits Gemalto Again – Insecure eID cards

When we researched impacts of the ROCA vulnerability, the Estonian government limited the impact with a cut-off date. ROCA only applied after that date. It now appears that Gemalto had another problem before that cut-off date.

Estonian police (PPA) sues Gemalto for EUR152 million for non-compliant personalisation of eID cards according to Reuters, or  Business Wire. It appears that Gemalto has been negotiating with the Estonia for a while but PPA decided to break off the negotiations and opted to sue Gemalto publicly.

Update (1 October): it is not clear at the moment whether there was a typo in the story (citing 700,000 instead of 70,000) or whether the reason for the change of the government’s approach was due to some new information. If the former is true then Gemalto mismanaged configuration of computers in walk-in branches, instead of my initial thought of them using wrong technology.

Estonian eID Cards A Failure? I Hope Not!

What does this announcement mean?

  1. If the allegation turns out to be true, citizens of Estonia can dispute any legal signatures created with their eID (electronic ID) cards. The fact that secret keys were outside the chips of eID cards breaks the legal requirements and the worst-case scenario is that it will have a large-scale impact on the validity of all eID-based contracts.
  2. It now seems that all eID cards issued in Estonia till October 2017 had a security problem. Either they were impacted by the ROCA vulnerability or their was a serious breach in the personalisation process, which may invalidate legality of eID cards.

Personally, I applauded actions of the Estonian government. Their quick reaction and the way the mitigated and resolved the ROCA vulnerability. Their handling gives me a hope that eGovernment and eID cards are not dead. On the other hand, Estonian citizens seem to have become victims of commercial “state of the art” security being used in a completely new context.

ROCA History

You may remember the ROCA vulnerability, which was reported almost a year ago. It impacted about 25% of laptops and PCs – their trusted chips, which are used for secure boot of computers, as well as authentication to (Microsoft) cloud applications. However, it also impacted about half of all electronic ID cards in Estonia and eID cards in Slovakia, Spain, as well as some other countries.

Estonian eID card (Steve Jurvetson)

The government of Estonia was not happy with Gemalto’s handling of the security breach at the time. Especially Gemalto’s omission to notify the government that the problem existed in the first place.

Inside sources claimed that researchers realised that Estonia kept issuing vulnerable eID cards long after they should have been notified Gemalto and other manufacturers (vendors got 10 months’ disclosure notice). They then used direct channels to get in touch with the government – and it appeared to be the first time they learnt about the problem with only weeks left till the public announcement of the ROCA vulnerability.

Luckily for Estonian eID cards, ROCA only impacted cards issued after they changed the personalisation process. All the public information suggested that this change comprised a new process (citizens started doing it themselves) and new chips in eID cards as well. While the latter may be true, I have some doubts in the light of yesterday’s news.

Off-the-shelf v Legally Compliant

Any use of eID cards requires their secret keys to be generated inside the cards. The law requires that citizens have full control over the keys and this would be breached if a third-party generates those keys. It is paramount for the legal validity of eID cards.

This generate-key-in-chip requirement is different from the practice in banking. Due to the sheer volume of debit and credit cards, banks use personalisation systems that generate keys in fast computers and inject them to cards. The same approach is used for passports.

As there are many more debit cards than eID cards, personalisation systems with a key injection are basically off-the-shelf solutions, while the generate-key-in-chip is hard to scale and build as a centralised facility.

The information so far suggests that Gemalto has used one of the off-the-shelf systems to supply eID cards in Estonia before the ROCA cut-off date. We can only speculate that those cards would have been subject of the ROCA attack if the personalisation were done properly.

You can check my previous blog posts about the topic:

Or some of the articles from last year:

  • Register –
  • ArsTechnica –
  • and many others

Leave a Reply

Your email address will not be published. Required fields are marked *