
Estonian Electronic Identity Card: Security Flaws in Key Management - dcbadacd
https://www.usenix.org/conference/usenixsecurity20/presentation/parsovs
======
dijit
Anyone wondering if this is a new issue; it's not, it's a more detailed
writing of some previous issues, one of which being the Gemalto affair[0].

The new cards issued in 2018 are not known to have any vulnerabilities.

[0]: [https://www.linkedin.com/pulse/timeline-estonian-id-card-
vul...](https://www.linkedin.com/pulse/timeline-estonian-id-card-
vulnerability-andres-k%C3%BCtt/)

~~~
kreetx
Didn't read the paper but it appears to be fresh, so maybe the newsworthy part
is that they are still not fixed?

~~~
Avamander
The paper is half for giving a technical overview of the issues and part new
analysis based on datamining old certificates. The issues have been mostly
fixed, compliance violations however are still badly monitored.

~~~
kreetx
Yup, true - from the end of section 2.3.4 jTOP SLE78: "The jTOP SLE78-powered
ID cards were issued until the end of 2018. ID cards manufactured currently
are powered by the chip platform supplied by IDEMIA (not covered in this
work)."

Looks like the ID cards issued after 2018 are not covered, so I guess this
really is "old news".

------
PrimeDirective
> The flaws of the ID-card is a very politically charged topic to discuss in
> Estonia, having any doubts about the ID-card or e-voting will make you a
> persona non grata.

I somewhat disagree, the discussion tends to get bent by some populist agent
provocateurs and some of the initial reactions from the private sector media.
(In Estonia, the government media is the most centered out of all news
outlets, go figure). What these statements usually are is that "ID card has a
flaw X, therefore we should immidiately ban it, close the R&D and burn it with
fire", forgetting that crypto and computing in general, changes over time. My
view is that, of course each flaw has to be resolved and sometimes this is
political, but this just means the work has to continue.

~~~
C1sc0cat
Thinking that compulsory id cards "Papers Bitte" are not a good thing is not
an uncommon view.

~~~
bragh
It's not about it being compulsory, but the system being unverifiable end-to-
end and any criticism of that being laughed at.

If you put it into business terms, would you trust an employee or vendor who
told you that everything was alright, did not allow you to perform checks and
audits and mocked both your and external partners concerns [0] about it? I
don't think so. If the government is indeed for the people and not vice versa,
then this is not acceptable.

[0]
[https://www.youtube.com/watch?v=LkH2r-sNjQs](https://www.youtube.com/watch?v=LkH2r-sNjQs)
Tom Scott's video about e-voting. Funniest rebuttal I saw on Estonian social
media was that we are secure, since he is talking about e-voting, but we have
i-voting. So I guess once we will call it c-voting, it will be even better...?

~~~
aj3
I watched the video. It's a load of crap. I mean, here are his arguments (feel
free to tell me if I missed something):

    
    
      - voting systems inevitably have to be closed source, loaded on easily compromisable USB stick, connected to internet unguarded and sitting that way for years. In what reality is this nihilistic fatalism a reasonable expectation?
      - voter has no way of independently verifying that their vote has been processed correctly. First of all, this is simply ignorant as there are many cryptographical schemes that allow verification, but most importantly - how do you know that your vote has been processed correctly in our current system? You don't, there is no way for you to do that.
      - US hacking machines are routinely exploited at Defcon. That's right. You know what else is routinely exploited there? Physical safes, which are used for storing you know paper ballots. Also cars. And Air Force has promised to bring a fucking satellite next year. Something having vulnerabilities in the past does not mean it still has them, something having vulnerabilities currently does not mean they are easy to exploit in practice or can't be detected and mitigated, some products in a certain category having vulnerabilities does not mean all products in this category will inevitably have vulnerabilities in the future and we should just give up on ever fixing them.
      - trusting a person in a voting booth to vote for you would be ridiculous, but filling a ballot yourself and trusting that it will get counted correctly along the way is somehow self obvious - I guess because in the first case you clearly see that a human is involved in the process and in the second example it sort of feels like the process is finished once you physically put your vote into a box?
      - the average voter won't understand checksums. Well, maybe the average voter shouldn't worry about bad bytes in that case? And how come deterministic and auditable cryptography is a problem while demonstrably non-deterministic process of current paper voting (look at how results always differ ever so slightly when votes are recounted) is a non-issue?
      - transferring votes over internet is problematic because you can't trust software on either end. Right, because you know (never mind trust) everybody that will handle your vote on the path from voting booth to the whatever-governing-body-is-announcing-results-in-your-country? 
      - central computer could be manipulating your votes and only a few people will have an opportunity to inspect it. Well, how many voting boxes have you been allowed to inspect in your life? Are you allowed to go to the central location where your votes are aggregated and recount all of them personally? How do you know that officials in your voting location, precinct or at a national level haven't agreed to manipulate the results?
      - casting doubts on the election is easy to do with electronic voting and nearly impossible with paper voting. Have you heard this cute story about medical masks becoming a conspiracy and symbol of oppression among certain population in US? Has nothing to do with electrical circuits and everything to do with politics. If a current incumbent happens to lose an election there you can be sure that election results will be called fake, no matter paper or digital.
      - malware exists, so voting from personal devices is ridiculous. Just as ridiculous as doing e-commerce or banking? Or in case of Estonia getting pretty much any other official business done, or so I hear.
      - a single vulnerability in someones computer can be scaled to millions of computers. Ok, let's say someone is still using Windows XP and got infected with something after downloading GTA from Pirate Bay. How does that affect people voting from their iPhones?
      - anecdotes, anecdotes, anecdotes
    

tl;dr: Stop spreading FUD.

~~~
bragh
Please try to think here in terms of probabilities, not absolutes and about
the threat model.

1\. Closed source and loaded on an USB stick is the simplest case. But in the
end, how will you still know what is the actual code that the eventual
tallying system is running?

2\. Verification of votes is not about encryption. If you allow it to be
unlimited, then you can actually sell your vote. In Estonia, you can verify
your vote 3 times for 30 minutes after your vote was cast:
[https://www.oiguskantsler.ee/sites/default/files/field_docum...](https://www.oiguskantsler.ee/sites/default/files/field_document2/Elektroonilise%20h%C3%A4%C3%A4letamise%20usaldusv%C3%A4%C3%A4rsus.pdf)
(point 14 on page 5)

3\. Mostly agreed with you about the rate of vulnerabilities. But the issue
here is that voting is such an important of how democractic society works that
there should be no obvious vulnerabilities or any exploitations of
vulnerabilities can be easily discovered. E-voting has neither of these
because again, how can we know what code is actually being executed?

4., 5., 6., 7. Yes, one vote can get lost. Hell, thousands can get lost. But
on average, I can still count on the process eventually working out due to the
observability. Somebody will find ballots thrown in trash, pre-filled ballots,
117% of eligible people voting. Sure, in those cases the country is
unsalvageable, but you will at least know that it is happening.

8\. OK, but that is neither here nor there.

9., 10. If you open up Google Maps and look one country eastward, you will
understand. As a reference,
[https://en.wikipedia.org/wiki/2007_cyberattacks_on_Estonia](https://en.wikipedia.org/wiki/2007_cyberattacks_on_Estonia)
Not sure on what their planning divisions are cooking up, but I do not doubt
that they will use any angle they can. What is the going price for a Windows
10 0-day anyway, on the order of a few hundred k to 1M, I assume? Peanuts.

~~~
aj3
You’re the one that seems to be thinking in absolutes (when it suits you).

    
    
      1. In cryptographical/philosophical sense that’s a tough problem. But our goal is to improve on existing solution not come up with an absolutely ideal scheme, right? So let’s look at what sort of trust our current system provides us. Do you get to see how the whole system works? No. Does any single person gets to see the whole system for that matter? No. But you are provided with the description of the process and large part of it is happening in the open even though though you can’t attend all the places / oversee everything in a single election due to real life and restrictions. Some people are also provided with the power to inspect arbitrary components of the whole scheme  when they see fit and even though they don’t inspect even the whole components all the time and no one is inspecting absolutely everything, these people are attracted from all interested parties and can act on random, so we believe that if there were any symptomatic fault play someone would have found it simply by chance. And we generally don’t believe in conspiracies but we try to counteract them by providing more incentives for people to speak up, get involved, become a whistleblower if that’s necessary so that any largish conspiracy would inevitably become public knowledge quickly enough. Well, we can arrange all of these in electronic voting as well and we can even double down on all the in depth mitigations by providing more monitoring capabilities in real time & possibly even making data openly available in whole after election.
      2. You can sell your vote in our current system as well. But somehow that’s fine because we have different standards for what we grandfathered already, am I right? Yeah, you could pay people if they film themselves voting, but there is no evidence of they being widespread so no need to worry. Mail ballots aren’t anonymous and could be spied/spoofed easily but there is no evidence of that ever happening, so no need to worry. Lack of strong ID requirements in US could lead to massive voter fraud but there is no evidence of they ever happening in a large enough numbers to skew the election, so no need to worry about. And yet when it comes to electronic voting, geek versions of Penn and Teller - cryptographers have shown us in their stage shows that they can conceive such situations where the victim gets unknowingly duped into disclosing their vote, or the vote being miscounted. So that means literally anyone could carry out the same attack in practice and at an arbitrary scale (or maybe not but we’d better err on side of caution).
      3. How do you know that that nice lady overseeing voting in your district isn’t a secret Trump/Clinton/Nazi/Communist sympathizer? You don’t, but you have a faith in the system as a whole that it won’t crumble because of a single person. Similarly we can use defense in depth tactics in designing election security. The hardware would only be able to run signed code in a minimal environment, you could even make the decided stateless, meaning the code gets reset before each new vote gets accepted, maybe even provide an option for voters to reflash the device themselves (with a click of a button on their phone). Devices themselves don’t have to be generic PCs with USB ports and what not, these could be a really dumb chips enclosed into sealed & transparent casing with each one being certified etc. You could make the system modular by having multiple devices each doing their small thing - like the Unix utilities but with each utility being separate hw and most of them disconnected from any networking / being air gapped with obvious input/output interfaces. There are so many things we could do it we approached this in a sane manner as a serious engineering challenge instead of trying to out-cynic each other.
      4,5,6,7 That’s exactly my point, electronic voting can be made even more transparent and with the records being forensically preserved they could be analyzed in full at any time after the votes have been casted (with the operational stuff being able to run all sort of threat hunting / anomaly detection during the Election Day). Granted this assumes the whole system uses the same protocols and is run/overseen by a joint committee which might or might not be viable in US, but the discussion started from Estonia - European country, where this would be totally expected.
      9, 10 Not all 0days are noclick RCEs present in a default configuration (of a desktop/mobile). In fact we haven’t seen such a beauty in a long time. So no, there isn’t a price for that as it’s not something you could buy off the shelf. And if you could get one you would burn it pretty fast by using it in such a campaign. Makes much more sense to keep it as a nuclear option as no matter how aggressive in your opinion nation state attackers are, their primary incentive is fear for the survival/integrity of their own country (yes the bears crap their pants thinking about possible armed intervention any year soon and so do the pandas). So no I don’t think there is any conceivable way to exploit large portion of private devices in a country in a uniform fashion. You totally could do that using top bottom approach - sort of like exploiting DC and pushing malware from it via group policy. But in case of Estonia voting apps would be the last tech to use for that. They are already mandated to use governmental services for various everyday tasks, they have centralized ID and there are just a couple of major banks - all of which require having an app for modern banking. So there are already plenty of avenues to wreck havoc for a skillful/motivated attacker. And yet we don’t have panic attacks over it, it’s just operational risk that we seek to understand & mitigate just like in every other enterprise.

------
AhtiK
"The jTOP SLE78-powered ID cards were issued until the end of 2018. ID cards
manufactured currently are powered by the chip platform supplied by IDEMIA
(not covered in this work)."

If my memory serves me right, there was an easy way to check if your ID card
was affected and it got replaced for free. The flaws described in paper are
not known to exist in cards issued since the end of 2018, beginning of 2019.

~~~
jlgaddis
Yeah, an "offline tester" [0] was made available by the researchers who
discovered ROCA [1] and a company with "close links" to the researchers
created a "ROCA Vulnerability Test Suite" [2]. The Estonian government also
had one on their web site [3] but it is, apparently, no longer available.

ROCA didn't _just_ affect Estonian ID cards, though. It also affected also
TPMs (from Infineon), certain Yubikeys [4], and even some PGP keys!

\---

[0]: [https://github.com/crocs-muni/roca](https://github.com/crocs-muni/roca)

[1]: [https://roca.crocs.fi.muni.cz/](https://roca.crocs.fi.muni.cz/)

[2]: [https://keychest.net/roca/](https://keychest.net/roca/)

[3]: [http://www.id.ee/?lang=en&id=38239](http://www.id.ee/?lang=en&id=38239)

[4]: [https://www.yubico.com/support/security-
advisories/ysa-2017-...](https://www.yubico.com/support/security-
advisories/ysa-2017-01/)

------
Etheryte
The aftermath of the issue has been previously discussed here (2018):
[https://news.ycombinator.com/item?id=18104861](https://news.ycombinator.com/item?id=18104861)

------
bragh
Brave guy to publish this, hopefully it won't end up similar to the Dreyfus
affair — depends on which the media will roll due to it being "pickled
cucumber season" (everybody is on vacation, nothing much happening during
summer in Estonia). The flaws of the ID-card is a very politically charged
topic to discuss in Estonia, having any doubts about the ID-card or e-voting
will make you a persona non grata.

~~~
Svip
> "pickled cucumber season"

Funny, it's called "cucumber time" (agurketid) in Danish. I wonder if it's a
related term in Nordic countries + Estonia.

~~~
gspr
We also call it "agurktid"/"agurknyheter" in Norwegian, and I know the Germans
use "Sauregurkenzeit".

I've never heard any similar expression in English, nor in any Romance
languages. The Brits use "silly season" for the same concept in
journalism/news.

~~~
atlasunshrugged
Ha, I'm an American who lived in Estonia for a bit, I'm not familiar with any
related US term. Maybe we just don't have this as much as Europe - I know I
was shocked at how slow business got in the EU in summer, there's for sure a
dip in the US with people going on vacation but nothing like Europe in
July/August

~~~
eitland
> I was shocked at how slow business got in the EU in summer, there's for sure
> a dip in the US with people going on vacation but nothing like Europe in
> July/August

Reminds me of back when I worked for a company that exported machines to the
US and my boss told an American customer that we couldn't get a shipment sent
in June which meant it couldn't be sent before somewhere in August since key
personell was on holiday in July.

They then asked if he couldn't just tell us we _had to work_ anyway, which
-luckily for us- wasn't an option.

~~~
kube-system
One time here in the US I had to work late hours and weekends to hit an
ambitious deadline for a French customer who wanted to review our work before
they all went on their vacations.

~~~
eitland
Oh, that was a nice thank you from us pampered Europeans! /s

Sorry, hope you got some nice overtime bonus (but I fear not.)

~~~
kube-system
Overtime? Ha. Almost all salaried jobs in the US are exempt from overtime
laws.

------
pier25
I'm from the EU and considering incorporating my next company in Estonia.

Anyone else in a similar situation has any recommendations or ideas about
this?

~~~
AhtiK
Make sure to understand the tax laws when it comes to the company tax
residency in scenarios where you're physically not operating in Estonia nor
employing people there, nor having majority of your clients there.

See my older comment [1] for some related topcis to research.

[1]
[https://news.ycombinator.com/item?id=21321451](https://news.ycombinator.com/item?id=21321451)

~~~
atlasunshrugged
Yes, I'd definitely echo that, a huge amount of tax implications are based on
individual residency/permanent establishment so if you're living in say,
Germany, for 1/2 of the year + 1 day, you should be expecting to pay at least
your personal income taxes there, and likely the business taxes if you're a
sole prop without local employees and local business. Of course, if you're a
true 'digital nomad' who doesn't establish residency anywhere it gets much
trickier. But in general, my advice it to pay for 1-2 hours with an accountant
up front before you go through setting up a new entity somewhere

~~~
pier25
Even if my personal account was in an Estonian bank?

~~~
atlasunshrugged
Having a personal account in a local bank may be a data point if you want to
make a case about where you should be taxed but it won't automatically make
you have permanent establishment or tax resident in Estonia

~~~
pier25
Ah, right.

Yeah I should definitely check with an accountant in the country where I will
end up residing.

~~~
atlasunshrugged
Yeah, highly recommend that. You can also contact Estonian folks who do
understand the idea of running a co in Estonia and living elsewhere which
isn't common in a country like Germany as local accountants there may be
confused, there's a bunch of people on this list that have gone through at
least some govt vetting [https://e-resident.gov.ee/marketplace/service-
providers/](https://e-resident.gov.ee/marketplace/service-providers/)

I personally had a good working relationship with 1Office in particular and
recommend them (wasn't a client but they were a partner when I worked for the
e-Residency program and a buddy's GF works there who I trust and who does good
work)

~~~
pier25
Would you incorporate again in Estonia?

------
Stierlitz
> n this paper, we describe several security flaws found in the ID card
> manufacturing process ..

Like accidentally on purpose,secure up to a point, but weak enough to allow
the spooks to generate their own IDs. I mean if the cards were unhackable how
would a spy do his job :]

~~~
chrismeller
As an American residing in Estonia, I’m not sure what the benefit of a state
compromising the card crypto would be. There are four broad categories of uses
for the ID cards:

1) Obviously, a government-issued photo ID

2) For an increasing number of shops, as your “frequent shopper” card, which
admittedly is slightly related to...

3) Authentication, including: logging into your bank, government websites (the
state portal, the tax authority, the the “digital story” - all your medical
records, the online booking website for booking some combination of
surgeons/specialists that operate under the public healthcare system), the
(one) online pharmacy that exists, etc.

4) Signing things. I’ve signed my lease with it (though “paperless” Estonia
still wanted me to sign a paper version as well) and more routinely you have
to “digitally sign” any bank transfers... which are the standard way to pay
bills in Estonia, so you do it a lot. Finally, voting online.

I don’t see how broadly compromising the crypto would really benefit anyone
for any of those things, it would have to be a more specific individual
attack, like draining your bank accounts.

Edit: formatting, added voting

~~~
pisipisipisi
Getting asked as an expert "can this id card thing be trusted?" my answer has
been "for communicating with the government you inherently don't trust, the
method or security of an authentication device does not really matter" (filing
your taxes or logging to services being the scope). Some claiming encryption
privacy issues ... Well, for any meaningful opsec you should not be using the
id card for encrypting messages about overthrowing the same government issuing
the encryption devices in the first place, if government reading your messages
is a threat in your model.

~~~
chrismeller
Yeah, I think the biggest risk would be rigging an election, but we’re talking
about a country of 1.2 million people. Not to dismiss the importance of their
elections on Estonia, it doesn’t really have the same worldwide ramifications
that compromising a US, UK, German, etc. election would have.

~~~
Strom
Rigging (digital or not) would be hard to hide, because it could only be a
minor adjustment to remain plausible. All the election results end up roughly
similar to all the various independent polling results. If some party suddenly
receives a lot more votes than they polled for - it will be noticed.

Also Estonia already has a history of (non-digital) election rigging [1] so
rhetoric of the " _digital results in rigging, keep it physical for safety_ "
kind isn't super convincing.

\--

[1]
[https://en.wikipedia.org/wiki/1940_Estonian_parliamentary_el...](https://en.wikipedia.org/wiki/1940_Estonian_parliamentary_election)

~~~
dane-pgp
> Rigging (digital or not) would be hard to hide, because it could only be a
> minor adjustment to remain plausible.

How many more votes would the party in second place at the last election have
needed in order to have won instead?

> If some party suddenly receives a lot more votes than they polled for - it
> will be noticed.

Is there a mechanism by which the election could be run again (before the
winners of the election have a chance to prevent this)?

> Also Estonia already has a history of (non-digital) election rigging

Or it's an argument that a voting system should have both hand-counting and
digital counting, because rigging both counts is at least twice as difficult
as rigging one.

~~~
ants_a
> How many more votes would the party in second place at the last election
> have needed in order to have won instead?

It's a multiple party proportional representation system so who "wins" doesn't
really matter that much.

> Is there a mechanism by which the election could be run again (before the
> winners of the election have a chance to prevent this)?

I'm not an electoral law expert, but complaints about election process go to
National Electoral Committee, which can have its decision contested in Supreme
Court.

> Or it's an argument that a voting system should have both hand-counting and
> digital counting, because rigging both counts is at least twice as difficult
> as rigging one.

The e-voting over here is actual e-voting - the vote is purely digital and
done remotely. Not in any way related to the digital vote counting machines
used in the US.

~~~
dane-pgp
> It's a multiple party proportional representation system so who "wins"
> doesn't really matter that much.

Obviously by "wins" I meant "becomes the (biggest party in a coalition)
government", not "gains the most first preference votes" or some other
strawman interpretation. And yes, I admit that it is hard to calculate the
minimum number of extra votes that would need to be added to change which
party leads the government, but I do think that a good proportional voting
system should allow that number to be determined at least to a reasonable
approximation.

> I'm not an electoral law expert, but complaints about election process go to
> National Electoral Committee, which can have its decision contested in
> Supreme Court.

I wonder how long that process would take in practice, and whether the Supreme
Court would decide it had the power to invalidate an election. In particular,
what sort of evidence would be required to satisfy the court that it had to
demand that remedy? I imagine that "The opinion polls were wrong by 6%" might
not be enough, and the political biases of the judges themselves might well be
significant in such a situation.

> The e-voting over here is actual e-voting - the vote is purely digital and
> done remotely. Not in any way related to the digital vote counting machines
> used in the US.

Yes, the fact that the voting can be done remotely is another problem, since
someone can be bribed or coerced into voting a certain way. I believe the
mitigation for this is that the voter can supersede their online vote with an
in-person vote, but an attacker could quite cheaply work around this by having
tracking software on the victim's phone, and henchmen outside the polling
stations.

------
noodlesUK
So, an argument that I hear regularly is that having a mandatory centralised
and cryptographic ID system really expedites certain ID-related tasks. Can
anyone in Estonia comment on this? Within the US and U.K., there’s no
mandatory ID, which I think is probably a good thing for civil liberties (no
papers please, for instance), but also fosters certain industries such as
credit reference agencies and has all sorts of weird side effects from
bootstrapping things like SSNs and NI numbers into secrets. Are there
companies like Jumio and Acuant in Estonia, or has the government rendered
them pointless?

~~~
Avamander
> I hear regularly is that having a mandatory centralised and cryptographic ID
> system really expedites certain ID-related tasks.

Paper signatures and fax are both considered obsolete, the latter is basically
never used. Cheques? Never seen them. Logging into any high-value service is
done using the eID. If you use local services there's rarely any need for any
site specific passwords, password managers, U2F, FIDO(2), GPG or similar
identity technology. There's no need to send a pic of yourself to verify your
identity anywhere, zero shit like that.

You know how PayPal, Stripe or similar payment processors felt/feel really
cool and fast? Yeah, we barely felt that because banklinks have fulfilled that
use case for the majority for a really long time now.

There aren't any other examples on the top of my head right now, but they're
really not the only things. By now, there's basically an entire generation in
Estonia that literally have zero idea how things were before, and are thus
often shocked by what and how much is required from them in other countries.

> Are there companies like Jumio and Acuant in Estonia, or has the government
> rendered them pointless?

They're basically nonexistent.

------
JoeAltmaier
Seems interesting, but security flaws were in a countable (small) number of
cases. Is this a general issue?

~~~
pisipisipisi
This shows the issues in process and attitude. Even in the case of ROCA, you
do not really break the crypto part itself, you wiggle around the
implementation and procedure issues to bypass it.

------
cordite
Are these things PIV or something else?

------
fabianlindfors
Are there any Estonians here on HN who would be willing to chat a bit about
digital identities in your country? I'm working on bringing e-ID to more
people ([https://getpass.app/](https://getpass.app/)) and looking to get a
better understanding of current solutions.

Feel free to reach out, my email is fabian (at) flapplabs.se

