Estonian authorities block national ID cards over ROCA smartcard security flaw

Estonia has binned its national ID cards over smartcard security flaws - obliging citizens to get new ones

The Baltic state of Estonia has rendered more than 760,000 national electronic ID cards useless after a cryptographic flaw was uncovered in the smartcards.

Estonian authorities found that cyber criminals were able to tap into a flaw that enables them to clone the cards and commit identity fraud.

The vulnerability, known widely as ROCA, was published on 16 October. Affecting smartcard chipsets made by Infineon, the flaw enables attackers to steal private RSA keys.

The discovery of the vulnerability has affected a wide range of devices that use these chipsets, including laptops, routers, Internet of Things devices and smart cards.

Estonian identify cards are widely used throughout the country. In August 2017, security specialists identified a threat affecting more than 750,000 of them issued between October 2014 and 2017.

Estonian organisations have attempted to issue a patch via a certificate update, but the government has since issued an outright ban on the cards.

Researchers in the country contacted Infineon and companies using chipsets for cryptographic data, and one of them was technology company Gemalto, whose cards are known to be vulnerable to the ROCA flaw.

The Swiss company owns Trub AG, which was the original firm to manufacture and distribute the first-of-the-kind national ID card system.

Over the past few months, the authorities have been working to find a remedy and to inform members of the public about the problem. The Estonian public are now obliged to get their ID cards updated.

The ID cards are used for filing taxes, managing healthcare information and other government-related purposes. Estonian Police issued a block on Friday.

The country's prime minister, Jüri Ratas, said: "As far as we currently know, there have been no instances of e-identity theft. By blocking the certificates of the ID cards at risk, the state is ensuring the safety of the ID card."

Over the next few weeks, Estonians will need to visit local authorities to replace the cards. More than 35,000 public servants and government officials will be given priority when updating their cards.