On 30 August, an international team of researchers informed the Estonian Information System Authority (RIA) of a vulnerability potentially affecting the digital use of Estonian ID cards. The risk theoretical and no ID cards have been misused, but all the ID card owners must update their certificates to be able to use their digital identity again.
All e-residents whose digital IDs were issued prior to 25 October 2017 must now update their digital ID card certificates from the Estonian ID card utility software on their computer. It will inform you automatically that your certificates need updating.
All e-residents can now update their certificates, but you may not need to rush.
Overview:
- There were no known incidents of an Estonian digital ID card being misused, but all previous certificates containing the vulnerability were suspended on Friday.
- Only the most frequent users could update their certificates last weekend so we recommended Smart ID for anyone needed access to banking over the weekend. However, it’s also a great long-term solution for e-residents. Find out more here.
- All e-residents can now update their certificates, but you may not need to rush as you still have until the end of March 2018 to update them.
- We are sorry for inconvenience caused by this issue, but protecting the integrity of your digital identity must come first.
Estonia’s citizens, residents and e-residents have been updating their digital ID cards with new certificates to help protect against a potential security vulnerability discovered by a group of international security researchers.
On Friday, the Estonian Police and Border Guard decided to suspend all previous certificates affected by the vulnerability.
Estonian Prime Minister Jüri Ratas explained that the danger of the security threat becoming real was increased by the fact that it was not a flaw of the Estonian ID card alone, but also included cards and computer systems around the world that use the chips by the same producer. This brought the safety flaw to the attention of international cybercrime networks which had significant means to take advantage of the situation.
“The functioning of an e-state is based on trust and the state cannot afford identity theft happening to the owner of an Estonian ID card,” said Prime Minister Jüri Ratas. “As far as we currently know, there has been no instances of e-identity theft, but the threat assessment of the Police and Border Guard Board and the Information System Authority indicates that this threat has become real. By blocking the certificates of the ID cards at risk, the state is ensuring the safety of the ID card.”
The Prime Minister added that the decision was not made lightly, but protecting people, their companies and their state must come first.
This means that Estonian digital ID cards issued between 16 October 2014 and 25 October 2017 — including all but the very newest cards issued to e-residents — will no longer work online without the update.
This will be inconvenient for e-residents who have not yet updated their certificates, especially as the process has been more difficult than any of us wanted. We are aware that many citizens, residents and e-residents have been receiving error messages due to the high volume of people updating at the same time.
As a result, the ability to update certificates was temporarily restricted last weekend in order to prioritise people who use their digital ID cards to provide vital services, such as medical professionals inside Estonia, as well as the most frequent users, which will include e-residents that will be notified by email.
All e-residents can now update their certificates again, but you may not need to rush anyway.
The deadline for updating the new certificates is the end of March 2018, but e-residents who signed up for Smart-ID while their certificates were active can continue accessing many of the same benefits — even when their certificates are suspended.
You only have to update your certificates before you need to digitally sign documents, access state services (such as the Business Register) or access banking if you haven’t already set up Smart-ID. The Finnish banking provider Holvi is unaffected though.
We understand that the certificates update process is still not as smooth as it should be, but authorities are working hard to improve this for those that want to update straight away.
As the Prime Minister has also said, we are all truly sorry for any inconvenience you may have experienced. However, Estonia’s highest priority is to protect the digital identities of citizens, residents and e-residents — as well as their companies and their state.
Estonia is proud to be a digital leader and help spread the benefits of our digital nation to as many people around the world as possible through e-Residency. That also means we will sometimes be the first to encounter new challenges and must take responsibility for the solution. We will always do so with full transparency because our digital nation depends on the trust of all its people — citizens, residents and e-residents.
Thank you for your patience.
The original article by e-Residency team is found in here.