Estonian authorities have decided to block and disable over 760,000 national electronic ID cards due to a cryptographic vulnerability that could allow attackers to clone IDs and forge identities.

The vulnerability is known as ROCA and came to light on October 16, 2017. The crypto bug affects TPM chipsets manufactured by Infineon. A vulnerability in the firmware of the Infineon TPM chipsets results in the generation of weak RSA cryptographic keys that could allow an attacker to determine the private RSA key corresponding to a public RSA key.

Products such as laptops, routers, embedded and IoT devices use Infineon chipsets, but also the equipment that was used to issue Estonian electronic national IDs — regular IDs, but with an electronic chip inside that allows users to cryptographically sign various operations.

Estonian authorities notified over the summer

When researchers from the Czech Republic found the flaw, they contacted Infineon and companies that used their chipsets to generate and store cryptographic data.

One of them was Gemalto AG, a Swiss company that bought Trub AG, the original company that provided the systems to issue and manage Estonia's first-of-a-kind electronic national ID system.

A further investigation revealed that all Estonian ID cards issued after 16 October 2014 and up until October 26, 2017, used weak cryptographic keys to secure the ID owner's data.

Since mid-September, Estonian authorities have been scrambling to inform the public about the flaw and prepare some ID owners for the moment when they'll need to update their ID cards [1, 2, 3]. That moment is Monday.

Last night, Estonian authorities blocked over 760,000 ID cards

On Friday, November 3, at midnight, Estonian Police have blocked and disabled all vulnerable ID cards.

Authorities removed the certificates of over 760,000 from their system, meaning Estonian users won't be able to use the ID card to file taxes, manage healthcare information, or other operations that would need the ID card's cryptographic key to authenticate the user.

Estonians will be able to use the former "electronic" ID as a classic identification paper to prove their identity.

Authorities replacing vulnerable cards (~58% of all cards)

From Monday and through the coming weeks, Estonians will need to visit authorities and replace their card's cryptographic certificate with a new one.

Over 35,000 people, such as doctors, government officials working in the field of justice, as well as employees of the civil status office, will have priority in having their ID cards updated, as they will be needed for their jobs.

"As far as we currently know, there has been no instances of e-identity theft," said Estonia's Prime Minister Jüri Ratas. "By blocking the certificates of the ID cards at risk, the state is ensuring the safety of the ID card."

Yesterday, the Estonian government's ID card portal listed nearly 1,3 million active electronic ID cards. Around 58% of all cards are believed to be vulnerable.

The article has been updated to clarify that Estonian will have to replace the certificate on their electronic card, not the card itself.