
Potential security vulnerability affecting Estonia’s ID cards and digital IDs - reimertz
https://medium.com/e-residency-blog/heres-what-e-residents-need-to-know-about-the-potential-security-vulnerability-d31a128726f5
======
jcrei
Kudos to the team for being immediately open about the issue.

I'm not sure if this is a new development or an older issue. One thing you
need to understand is that the timing for this info getting out there is
perhaps a little less than a coincidence. Estonia is poised to have local
elections very soon (mid October) and even non-citizens can vote, as long as
they are residents and have an ID card.

Traditionally one of the parties (Keskerakond) has received very few votes
from the e-voting. They have an older voting crowd and also less urban, and
get the majority of Russian speaking votes. They would have a lot to gain from
speculation over security issues with e-voting. Also, Keskerakond, has had
ties with Russia and Russian money financing some of their campaigns.

I'm not saying it's Russia, but the timing of the announcement of the
vulnerability is very interesting

(updated for formatting)

~~~
ktta
>I'm not saying it's Russia, but the timing of the announcement of the
vulnerability is very interesting

Any articles you can link to which will detail something like this Russia has
done? I've also heard similar comments about the ransomware attack on Czech
Republic, which is indicating of past behavior of Russia.

American media companies don't seem to cover Russia (atleast as well as China,
excluding the recent election news frenzy. Or maybe they don't get shared that
much). Russian government seems to silence domestic critics, so any verbose
story which is noteworthy by international journalists?

(I'm fine with spending a good number of hours on this so anyone is welcome to
post any number of links)

------
pmontra
> When notified, Estonian authorities immediately took precautionary measures
> [...]

> We are grateful to the researchers for uncovering this issue and providing
> us with the opportunity to ensure our digital society can emerge stronger
> and more secure.

Such a different approach compared with companies following the too usual
policy of burying their head in the sand. This increases respect and trust.
Taking no actions or communicating no action is detrimental to trust.

------
donquichotte
OK, since this is being discussed here: has anybody found a use case for the
Estonian e-Residency? I tried to actually register a company and a bank
account and gave up after trying for several hours.

~~~
MrDisposable
(Posted under a throwaway account).

My use case: as a Russian citizen living in Russia but planning to release an
app, I'd much rather prefer doing it via an EU company than via a Russian
company.

First, there's a lot of nasty stuff happens to business owners who don't have
proper "protection" (their businesses get "transferred" to the right people
and they themselves go to jail on phony charges for not wanting to sell their
business for peanuts).

Second, the situation in Russia will definitely get worse, and when that
happens, the problem I described above will also get worse. I just don't want
to expose a business generating revenue in USD in Russia. And if it gets
exposed (which it will, due to the automatic information exchanges between
jurisdictions), I will have an additional barrier of protection against
unwanted "transfers" \-- it's easy to do to a Russian business, but it's much
harder with foreign companies.

And third, selling an app while being listed in app stores as a Russian
company definitely won't improve my first impressions, given all the hype
about Russian hackers (there's even an example of it in this thread!)

By the way, if you want to register a company, go with a provder like
LeapIN.eu -- they're fantastic.

~~~
soloadventurer
Under Russian tax law, a company is a tax resident in Russia if (a) it is
incorporated in Russia, (b) its management and central control are in Russia,
or (c) if a treaty deems it to be in Russia. Estonia has no tax treaty with
Russia, so (c) is not relevant. In your case, (a) is also not relevant. Point
(b) is more interesting: do you live in Russia and exercise management of your
Estonian company in Russia?

If yes, then you own a Russian-resident company and Russian corporate tax law
is applicable. You are required to prepare financial statements and file
corporate tax returns in Russia. Presumably there's also many foreign
ownership disclosure requirements.

Please consider discussing your case with a tax advisor if you have not
already done so. I would never ever easily recommend a citizen of an OECD
country incorporate a company overseas without first thoroughly researching
disclosure requirements and tax law. Please be careful as tax laws generally
are of the "go straight to jail" type.

I wish this Estonian e-residency program would contain more warnings in red
about the significant impact such a foreign company will have on a
shareholder. This applies to Atlas as well--non-US-residents need to be
extremely careful with US corporations as there's a good chance they will not
actually be resident in the US.

------
ajobaccount2017
Very vague on details. No links to exact researchers or their findings.

Does anyone know more about this?

~~~
nirv
Roughly quoting from the FAQ featured today in local press[1]:

Q: Is the white paper published? Can anyone use it for hacking the ID card?

A: The scientific research will be published later this autumn at an
international scientific conference. Within the academic community it is not
accepted to publish specific exploitations.

[1] [http://www.err.ee/616783/id-kaardi-turvarisk-politsei-
vastus...](http://www.err.ee/616783/id-kaardi-turvarisk-politsei-vastused-
korduma-kippuvatele-kusimustele)

~~~
nirv
Also some highlights from the same source:

"Theoretically, an ID-card can be used for person identification and digital
signing - without having a card and not knowing PIN-codes. It is not enough to
know public keys to crack the ID-card, an attacker would also need a lot of
processing power to compute the private key and special software to put a
digital signature."

"In October 2014 ID-cards began to use a brand new faster chips, which are
based on new technology and therefore more secure. That new chip has received
French and German safety certificates, which confirm the compliance of the
chip with safety requirements. The same chip is currently used in several
other countries, as well as on payment cards and business certificates. The
vulnerability risk arose due to the combination of chip operation and
software."

"We took a number of steps to minimize risks: closed the ID-card public key
database, our experts analyze the situation and are looking for a solution to
restore the highest security level."

------
jlgaddis
I wonder if the issue is anything similar/related to (PDF):
[https://smartfacts.cr.yp.to/smartfacts-20130916.pdf](https://smartfacts.cr.yp.to/smartfacts-20130916.pdf)
but, perhaps, on a larger scale.

~~~
hdhzy
Excellent paper, thanks!

