- [2021-10-16] The i-voting in the 2021 local municipality elections took place from October 11th to 16th. A new i-voting record was set with 273,620 votes (46%) being i-votes. Around 24,000 i-votes were revotes. The biggest share of i-votes went to the Reform Party. I-votes cast for the Center Party tripled in Tallinn. Several voting related incidents were observed and are covered below.
- [2021-11-11] The State Electoral Committee (VVK) received an appeal from candidate Andrea Eiche demanding the i-voting results in Lüganuse municipality be annulled due to alleged vote buying activities. The complainant claimed that voters had been “persuaded” to cast an i-vote for a Center Party candidate, both at the Kiviõli Russian School and at a nearby store, with the latter providing gifts in return for doing so. The applicant requested VVK to ascertain how many i-votes had been cast from the store and also from the school’s IP address to specific candidates. The Supreme Court found that processing such data would breach the ballot secrecy. The court found that the allegations lacked sufficient proof, although the court ordered the police to investigate a potential criminal offense.
- [2021-11-03] Police detained a politician (Sergei Gorlatš) who is suspected of vote buying. According to preliminary data, almost 40 Narva residents were offered a trip, which included a guided walk in the park, a visit to a SPA, a picnic and transport. The trip took place during the election week and people were instructed to bring their ID card to i-vote. The i-voting took place on the bus. People who could not vote due to the lack of an ID card or PIN codes were asked to do so later at the polling station. Almost half of the people were able to vote on that trip.
- [2021-10-28] The international i-voting security audit procurement failed five times in a row as the companies that applied did not meet the conditions of the procurement. However, the state signed a contract for a total of 200,000 euro with KPMG Baltics OÜ to conduct a narrower scope procedural audit. The audit is supposed to assess all election-related information systems and has to be completed by April 2022. The audit is supposed to assess at minimum: (1) compliance to the OSCE/ODIHR report; (2) the implementation of the proposals made by the i-voting security working group in 2019; (3) compliance of the Council of Europe e-voting standard; and (4) current legislation and processes related to election information systems.
- [2021-10-28] EKRE submitted a complaint asking for i-voting in the ongoing elections to be declared illegal, as the translation feature of the Google Chrome browser distorted (translated) candidate names listed in the election website kov2021.valimised.ee. On the night of October 13th, the developers of the website added the translate=”no” flag to the candidate list, instructing browsers to not apply translation on that part of the page. National Electoral Committee (NEC) rejected the complaint as the names of the candidates were displayed correctly in the i-voting application. The Supreme Court rejected the appeal assessing the impact of the translation problem as unlikely.
- [2021-10-28] Virgo Kruve submitted a complaint asking for i-voting to be canceled for the local elections due to several issues: (1) the source code of the i-voting application was not publicly available; (2) the software was not audited and the i-voting server was not under the supervision of auditors; (3) paper voters and i-voters were not treated equally as i-voting was not possible on election day; (4) the i-voting application was signed after the i-voting trail; (5) VVK confirmed the results of the i-voting trail after the start of the i-voting period. NEC and the Supreme Court dismissed the complaint: (1) legislation does not require publication of the i-voting application source code or audit of the application; (2) the law does not impose an obligation to use the i-voting application provided by VVK; (3) the vote verification application can be used to check if the correct vote has been cast; (4) there are measures to verify the authenticity of the state-provided i-voting application.
- [2021-10-26] Jan Willemson (Cybernetica) used the unofficial proof-of-concept i-voting application to cast an i-vote in the local elections. The vote was accepted by the vote collector server and passed the mobile vote verification successfully. However, in the ballot box processing phase the vote was discarded as invalid. The cause of the bug is being investigated.
- [2021-10-23] Postimees wrote about indications that ID cards of nursing home customers are abused to cast i-votes. As an example, it was mentioned that a relatively unknown candidate, a close relative of the head of a nursing home, received as many votes as a well-known Estonian politician (nearly a hundred votes) and had an unnaturally high proportion of i-votes – four times as many as paper votes. However, so far none of the allegations that ID cards are being misused in nursing homes have been substantiated.
- [2021-10-21] A hacker (Artur Boiko) was able to capture a signed i-vote produced by the voting application. The hacker informed the Estonian media that the i-votes cast in the elections are not valid as the DigiDoc4 client showed that the digital signature attached to his i-vote was not valid. RIA explained that the formed signed BDOC container is not a fully completed digital signature, as the OCSP response and timestamp are added on the server side.
- [2021-10-19] Starting with the local elections this year, it is possible to cancel an i-vote in a polling station also on election day. Before 2021 this was not possible, because the voter lists were on paper. Electronic voter lists were used for the first time and it also enabled voters to vote in any polling station in their district as this information is now maintained in a central database. A total of 1,375 computers and 400 printers were used in polling stations all over Estonia. Most of the equipment was leased from Telia. Almost 2,000 people canceled their i-vote with a paper ballot.
- [2021-10-16] On the sixth day of advance voting, voting in polling stations experienced issues from 12:00 to 12:45. The cause was in RIA’s authentication service TARA that is used by the Election Information System VIS3. For security reasons, the number of queries processed from a single IP address was restricted to prevent DoS attacks. During the inaccessibility of VIS3, voters were able to cast paper votes using double envelopes. The electronic list of voters was updated as soon as VIS3 became available again.
- [2021-10-13] A designer (Stefan Hiienurm) criticized the design of the i-voting application as the application looks like “old-school pirated software” (has been largely the same for about ten years) and there is no indication that this is a service created by the Estonian state. The designer took 30 minutes and sketched how the i-voting application could look.
- [2021-10-12] I-voters who had their computer time more than 5 seconds off got an error, although their vote was cast successfully.
- [2021-10-11] During the first 11 minutes after i-voting started, a false message was shown to voters by the voting application, stating that it was a test vote that would not be counted. Around 900 of the first i-voters received such a message. The votes were actually counted, as this was a configuration error having effect only on the text displayed. The end time of the test vote was wrongly configured to be an hour later.
- [2021-10-11] Users of the latest version of MacOS were unable to i-vote with an ID card until a new voting application was released in the afternoon of the first day of i-voting. More than 30 complaints were registered by technical support service, but hundreds or more users could have been affected. The error was due to the fact that the application was not tested accordingly. I.e., before initially signing the application, the application was not given the right to communicate with the ID card software. The fault was discovered only after i-voting started as the combination of MacOS and ID card was not tested in the i-voting trial.
- [2021-10-11] The documentation for the MacOS voting application on valimised.ee was inaccurate. The file name of the voting application was different (in the documentation “selection.dmg”, actually “KOV_2021_mac.dmg”), and the cryptographic checksum of the voting application file did not match the checksum in the documentation. The differences arose because the MacOS voting application was updated without it being timely reflected in the documentation.
- [2021-10-10] The source code of the i-voting system was made public in GitHub only 10 hours before i-voting began.
- [2021-10-04] Arne Koitmäe, the head of the State Electoral Service (VVK), discusses the possibility to i-vote using smart devices.
- [2021-09-21] Postimees received sharp criticism for publishing a cartoon, which puts the Estonian i-voting system and the Russian i-voting system on the same stick. Postimees reacted by taking down the cartoon.
- [2021-09-09] A research article by Sven Heiberg (SCCEIV), Kristjan Krips (Cybernetica/UT), Jan Willemson (Cybernetica/STACC) and Priit Vinkel (Cybernetica/VVK): “Facial Recognition for Remote Electronic Voting – Missing Piece of the Puzzle or Yet Another Liability?”. The authors studied the applicability of facial recognition for verifying voter identities (not specifically for the Estonian i-voting context). The architectural aspects and the main technical and ethical issues were discussed.
- [2021-09-05] A research article by Bingsheng Zhang (Zhejiang University), Zengpeng Li (Shandong University) and Jan Willemson (Cybernetica): “UC Modelling and Security Analysis of the Estonian IVXV Internet Voting System”. The authors claim that the Estonian i-voting system achieves end-to-end verifiability in practice despite the fact that only 4% (on average) of the i-voters verify their votes.
- [2021-08-28] A research article by Arne Koitmäe (VVK), Jan Willemson (Cybernetica) and Priit Vinkel (Cybernetica): “Vote Secrecy and Voter Feedback in Remote Voting – Can We Have Both?”. The authors discuss the possibility for introducing a feedback channel that would inform a person if someone (or the person themselves) has cast an i-vote in their name. The Estonian i-voting system is used as an example for discussing the possible feedback channel.
- [2021-08-25] A Belgian cryptographer (Olivier Pereira) described a variant of the revoting attack for the vote verification feature of the Estonian i-voting. By forcing a voter to revote (e.g., by simulating a voting application crash before the verification QR code is shown), on revote a malicious voting application can display the verification QR code from the previous (non-modified) vote cast by the voter, while the revote is substituted with the attacker’s candidate. The benefit compared to the silent revoting is that malware does not have to interact with the ID card (or compromise the voter’s phone in the case of Mobile-ID). An obvious fix is for the i-voting system to allow the verification of the last vote only. The developers of the i-voting system have implemented such a feature, but this feature was not enabled by VVK for the local elections.
- [2021-08-13] Starting August 23, the Estonian identity cards will be issued containing the ePassport applet that will contain the cardholder’s photo and fingerprints. The residence permit cards have been issued with the ePassport applet already since 2011. The ePassport applet will not be installed on the digital identity cards, the e-resident’s digital identity cards and the diplomatic identity cards. The introduction of the ePassport applet on identity cards is required by an EU regulation.
- [2021-08-11] Mauno Pihelgas (TalTech) defended his PhD thesis “Automating Defences against Cyber Operations in Computer Networks”.
- [2021-08-09] The procurement for the next-generation SIM-less Mobile-ID solution has taken longer than originally planned. The winner should be announced in September and the new solution should be operational from July 1, 2022. The current Mobile-ID contract with SK has been extended by half a year.
- [2021-08-08] A group of local cyber security enthusiasts are organizing the BSides Tallinn conference with a program committee consisting of well know Estonian cyber security experts. The conference is planned to take place on October 7 in Tallinn.
- [2021-08-07] The Data Protection Inspectorate (AKI) has stated that identification check of a person showing a vaccination certificate is allowed only if there is reasonable doubt. For example, if there are obvious discrepancies – the name of the certificate is of the opposite sex, the person’s appearance does not match the date of birth, and so on. Also, the applications used to verify vaccination certificates should not store or forward the data to third-parties. The Minister of Health and Labor suggested the inspection of vaccination certificate only “visually” as it is assumed that most people who live in Estonia are honest.
- [2021-08-05] RIA has proposed an idea to enable a vaccination status lookup using the document number of the cardholder’s ID card. This would effectively make a person’s vaccination status public, as the document number of a cardholder’s ID card cannot be considered secret. The Health and Welfare Information System (TEHIK) is looking into the legal side of this solution.
- [2021-07-29] The web app kontroll.digilugu.ee created to check COVID certificates provides a misleading status response, as it verifies only the authenticity of the certificate and not whether the COVID certificate satisfies legal requirements (e.g., whether test results are not outdated). Currently, the certificate’s compliance to legal requirements have to be inspected manually.
- [2021-07-28] Geenius journalist Ronald Liive proposes the introduction of a state-level bug bounty program to motive white hat hackers to report vulnerabilities.
- [2021-07-28] A hacker exploited a vulnerability in RIA’s service that allows people to download their document photos using the DigiDoc client. As a result, facial photos of 286,438 persons have been downloaded. The flaw allowed unauthorized retrieval of document photos by sending queries using a fake ID card certificate containing the document holder’s personal identification code. The queries were made from 9,000 different domestic and foreign IP addresses routed through a malware network. The flawed solution was created several years ago. The police has temporarily detained an Estonian citizen, a resident of Tallinn, whose computer was used to download the photos. The downloaded data has been confiscated and the police believes that the data was not transmitted further. The mass download of photos was detected after SK ID Solutions notified RIA of an abnormal number of (OCSP?) queries. The persons whose document photo was downloaded received a notification to their @eesti.ee email addresses. If the leak caused damage, the person can ask RIA for compensation. In RIA’s opinion no damage could have been caused. The government gave RIA 500,000 euros to improve the security of their legacy services.
- [2021-07-24] The number of banking scams is growing. This year already more than 800,000 euros have been lost. If last summer there were 25-30 such cases in one month, then this year there are already more than 50 in one month.
- [2021-07-22] Gert Auväärt became RIA’s director of the Cyber Security Branch. Lauri Aasmann, the current director of the Cyber Security Branch, will continue as an advisor to the Director General.
- [2021-07-21] AS Morrison Invest (morrison.ee) approached the Data Protection Inspectorate (AKI) questioning the legality of kv.ee showing the name of real estate agents for advertisements posted on behalf of legal entities. AKI found it to be in line with good practice, but in turn found that the website morrison.ee that collects personal data does not use an HTTPS connection, the visitor is not informed about the use of Google Analytics cookies, and thirdly, the site does not have the required data protection conditions. AKI issued a precept requesting that these deficiencies be eliminated.
- [2021-07-21] Estonian citizen Pavel Tsurkan (33) was extradited to the US where he pled guilty for building a botnet of more than 1000 routers and allowing his criminal clients to use them as proxies routing their malicious internet traffic through the compromised routers. He also pled guilty in a second case for operating the Crypt4U service since 2013 that allowed criminals to obfuscate their malware. The Estonian national faces two 10-year prison sentences.
- [2021-07-15] Cybernetica has completed the analysis of implementing facial recognition in the Estonian i-voting. The analysis points out problems with false negatives, the requirement for high quality video cameras, privacy issues related to the fact that the captured video may contain other persons and a voter’s home interior, and points out a list of legal challenges. The report concludes that facial recognition is still in its infancy and should be first piloted within other public services.
- [2021-07-15] A Geenius journalist had a look at the mysterious information system SITIKAS created by the State Situation Center. The system is meant to help decision makers and almost 2.8 million euros have been spent on its development. The system uses mostly publicly available information, but the content of the system is classified. Allegedly, the system generates various reports and uses machine learning and neural networks.
- [2021-07-13] The Data Protection Inspectorate (AKI) has reprimanded the Health Board for its official contacting TalTech to ask whether one of the Health Board employees studies in TalTech. TalTech disclosed the information over phone without identifying the questioner and without the legal basis.
- [2021-07-13] For DDOC signatures that have been timestamped after 2018-07-01, the ID software will show a warning “The signature is valid (with a warning)”. Signatures in DDOC format use the outdated SHA-1 hash function whose collision resistance was practically broken in February 2017 and hence any DDOC signatures created since then could be challenged.
- [2021-07-09] RIA has closed an information leak in the state portal eesti.ee, where personal data of 336,733 people could be accessed. The data contained the first and last names, personal identification codes, places of work and, in some cases, links to previous positions. The leak was in the self-service environment that gave representatives of companies the right to manage the access rights of their employees. The leak was part of the intended functionality that was introduced about ten years ago when the approach to data protection and privacy was different than today. The issue was reported by an attentive user. RIA has no information on whether anyone had saved the data.
- [2021-07-01] Personal data of 96 drone pilots was visible in the website of the Transport Agency for two hours. The personal data contained the pilots’ home addresses, phone numbers, e-mail addresses and personal identification numbers. Due to the leak, the registration numbers issued to the pilots will be replaced. Piksel OÜ developed the flight safety monitoring information system (LOIS). The security of the system was tested, but the flaw was detected only after the information system went into production.
- [2021-06-29] MKM is using the EU structural funds to produce 60 thematic biographical video interviews to document the history of the Estonian digital state. The plan is to collect the memories and knowledge of the birth and formation of the digital state, including the development of eID, i-voting and cyber security. The work will be completed in the beginning of 2022.
- [2021-06-29] The UT computer science BSc student Peeter Vahe in his BSc research discovered a race condition flaw in the Tartu Smart Bike Share system, which allows a user to unlock 2 bikes at once using a single account.
- [2021-06-18] The Supreme Court decided that the procedure for storage and use of communications metadata is in conflict with the law of the EU and therefore the state cannot request this data for criminal investigations. The EU law forbids retaining the communication data of all users without distinction, regardless of whether they have any connection with serious crime (the current practice of the Electronic Communications Act). This decision will affect the proceedings where phone logs are the most substantial evidence. The Ministry of Justice is looking for a solution to agree on some kind of a new metadata keeping obligation.
- [2021-06-16] Kaie Maennel (TalTech) defended her PhD thesis “Advancing Cybersecurity Education through Learning Analytics”.
- [2021-06-15] An MSc thesis defended at UT brought to light a security risk concerning signing documents with an ID card via a browser. More specifically, the fact that the signatories are not able to see what exactly the service provider is asking them to sign. The thesis provides the implementation of two solutions. RIA is looking to introduce a solution as well.
- [2021-06-15] A bill has been passed to create a central biometric database ABIS for storing facial images and fingerprints, as currently such data is scattered between several databases. No new data will be collected. The bill has raised concerns regarding cross use of biometric data, as it would allow fingerprints and facial images collected for identification purposes (when applying for an identity document) to be used in criminal proceedings. However, it turns out that since 2012 identity documents database has been used in criminal investigations. While it was possible to compare fingerprints against all fingerprints in the database, ABIS plans to provide the technological capability to match a person’s facial image against facial images stored in the database.
- [2021-06-14] Cyber Security Summer School 2021 took place during June 14-16 in virtual format. The focus of this year’s summer school was on real-world internet voting systems.
- [2021-06-11] The Transport Administration is developing a database in which private parking lots from Helsinki and Riga can obtain personal data of car owners registered in Estonia. The Estonian vehicle owner database has now been opened to Estonia’s private parking lots for imposing fines.
- [2021-06-04] The President of Estonia, Kersti Kaljulaid awarded ENISA’s Executive Director, Juhan Lepassaar, the Order of the White Star, 3rd Class state decoration for advancing EU cybersecurity.
- [2021-06-03] MSc thesis by Taavi Turu (TalTech): “The Role of Co-production in National Cyber Security and Cyber Resilience of Critical Infrastructures: the Case of Estonian Defence League’s Cyber Unit”
- [2021-06-02] A new Estonian information security standard (E-ITS) has been compiled to replace the voluminous information security standard ISKE. The standard contains data on security threats and provides measures for public sector authorities.
- [2021-06-02] RIA organized a seminar “Cyber Security in Estonia 2021” in English. Presentations by Gert Auväärt, Tõnu Tammer, Perit Kirkmann, Mark Erlich, Lauri Tankler and Märt Hiietamm are available in RIA’s youtube channel.
- [2021-05-31] Due to a database error, the health information system was not available for more than two and a half hours in the middle of the working day.
- [2021-05-28] Arnis Parsovs (UT) has published “Security Analysis of RIA’s Authentication Service TARA”. The analysis finds that the TARA protocol might be susceptible to man-in-the-middle and phishing attacks.
- [2021-05-26] The TV investigative program Pealtnägija has published materials and insights from the “passport mafia Marika” criminal case of running an illegal document business with insiders from PPA. A trap was set up with the help of a secret agent who was interested in a document. Video footage and other materials from covert police surveillance activities are demonstrated.
- [2021-05-21] Following a scheduled maintenance at SK ID Solutions, the issuance of Mobile-ID and Smart-ID certificates were disrupted.
- [2021-05-15] An Estonian accounting software company fell victim to a ransom attack and through it the attackers gained access to the systems of one of the Lääne County rural municipality governments. The attack was discovered by CERT-EE before the attackers were able to cause damage.
- [2021-05-13] RIA refuses to disclose how many sessions at once the authentication service TARA can handle, as this would reveal too much of the e-Estonia capability to potential attackers. TARA has been used up to 150,000 times a day.
- [2021-05-13] A court in the US convicted 3 IT specialists that were residing in Estonia for providing bulletproof hosting services to cyber criminals from 2009 to 2015.
- [2021-05-12] There is a plan to amend the Public Information Act that would allow for the classification of documents to last indefinitely. Currently, the access restriction limit for classified documents “information intended for internal use” (AK) is five years. This limit can be extended by another five years to a total maximum of 10 years.
- [2021-05-11] The Data Protection Inspectorate (AKI) has released the 2020 yearbook.
- [2021-05-05] The Estonian Digital Society Development Plan 2030 has been released. One of the areas is national cyber security. Among the plans is to: improve the personal data tracker service; develop the possibility to get all the data stored in the country from the state portal; create a national eID that is free of physical media; update the national cyber security governance model to clarify roles, responsibilities and tasks of organizations; increase the capacity of academic institutions and development centers to implement nationally important cyber security R&D projects.
- [2021-05-03] Liisa Past (former employee of Cybernetica and RIA) has started working as an information security manager (CISO) at the Information Security Department of the Information Technology and Development Center (SMIT) of the Ministry of the Interior.
- [2021-04-27] Over the last couple of years, most of the security testing procurements have been won by the company Clarified Security OÜ. Last year, procurements for up to 2 million and 3.5 million euros were won. Paevaleht looked at the similarities of the procurement specifications and discussed the need to introduce mandatory rotation of security testers.
- [2021-04-22] Äripäev has published a special issue “Cyber security 2021” covering a variety of cyber security related topics: cyber hygiene, i-voting, cybercrime, training of cyber experts and other topics.
- [2021-04-22] Due to a hardware failure, the state authentication service TARA was not available for 45 minutes, as a result of which it was not possible to log into any service that uses TARA.
- [2021-04-15] The government introduced a draft legislation to strengthen rules for assessing eID system trustworthiness and delimiting institutional responsibilities. In addition, RIA will be able to check whether providers of public e-services fulfill the obligation of recognizing international eID solutions arising from the eIDAS regulation.
- [2021-04-13] Due to a software error, the digital prescription service was not available for almost 7 hours.
- [2021-04-09] Arnis Parsovs (UT) defended his PhD thesis “Estonian Electronic Identity Card and its Security Challenges”.
- [2021-04-07] The Mobile-ID and Smart-ID phishing attackers who were detained in Romania last September, sent emails to 100,000 Estonians and managed to steal money from the accounts of nearly 40 people in the total amount to more than 100,000 euros.
- [2021-04-07] RIA released the yearbook “Cyber Security in Estonia 2021”. Some of the covered topics: DDoS ransom attacks, ransomware attacks, phishing attacks, E-ITS security standard, DigiTest cyber hygine training platform, cyber diplomacy, 5G security.
- [2021-04-05] Based on a precept issued by the Technical Supervision Authority (TTJA), Zone Media OÜ blocked access to the websites koroonavabaeesti.ee and kloordiioxidiinfokeskus.ee, which were used to spread misinformation about the anti-COVID drug. The websites were registered by a private person and used the web hosting service of Zone Media OÜ.
- [2021-04-04] Personal data of 533 million Facebook users leaked online. The leak contains personal data of 87,533 users from Estonia. The data includes their phone numbers, Facebook IDs, full names, locations, birthdates, bios, and (in some cases) email addresses. The dataset was collected by crawling the data made public by users themselves.
- [2021-03-31] The government approved an amendment enabling automatic forwarding of a person’s @eesti.ee mailbox to their contact information in the population register. The population register has almost every person’s contact information (email address and phone number) as it is collected, for instance, when applying for an identity document. Before this change, around 413,000 people of 1.3 million had manually enabled forwarding for their @eesti.ee address. The opt-out in @eesti.ee forwarding was introduced after many elderly people missed invitations to be vaccinated.
- [2021-03-31] E-residency background checks will become more thorough. New data sought from applicants includes information about misdemeanor proceedings initiated against the applicant, prohibition on business as well as bank accounts owned by the applicant or their businesses. To improve user friendliness, PPA has created a new self-service environment for e-residents at https://eresident.politsei.ee.
- [2021-03-26] The Latvian Data Protection Inspectorate did not apply sanctions to the company responsible for the e-shop charlot.ee database leak in which personal data of 14,000 Estonians was made publicly available. According to the Latvian inspectorate, they learned about the personal data of only 168 Latvians being compromised. The Estonian Data Protection Inspectorate (AKI) now regrets not initiating proceedings, as Charlot OÜ had appointed Estonia as the data controller and hence the server’s location in Latvia should not have played a role.
- [2021-03-19] The attackers who downloaded 350GB of data from government servers last November used the security testing tool Acunetix to discover the .git catalogue which had remained public by accident. By using information in the .git catalogue, the attackers were able to upload malicious code and gain access to the servers. The same scanning pattern has been observed lately against companies in the private sector. RIA has purchased a license to the Acunetix tool and is offering it to the public sector.
- [2021-03-17] A former employee of the newspaper Raplamaa Sõnumid was convicted in court of illegally disrupting the operation of the newspaper’s computer system. The employee left the newspaper in 2015 and committed the crime four years later by using Google’s Search Console tool to hide the website https://sõnumid.ee in the Google search engine. The conviction of the county court and the circuit court has been appealed to the Supreme Court.
- [2021-03-17] The Prosecutor’s Office has released a yearbook about 2020. In 2020, various covert surveillance operations were carried out on 729 people. There have been cases where criminals have compromised state systems to mine cryptocurrencies. One of the biggest achievements last year was the detention of three Romanian cyber criminals last September, which was possible thanks to direct contacts with foreign partners. In one criminal case, it was possible to seize 1 million worth of cryptocurrency by transferring it to a wallet held by police. It is not uncommon to see criminal cases being closed without gathering additional evidence if the identified IP address is located abroad.
- [2021-03-17] Due to an error on the SK ID Solutions side, 6000 Smart-ID users received a false SMS alert as if someone had just created a Smart-ID account on their behalf. Turns out the alert was not false, but was sent with a delay. Smart-ID users who created an account on 2021-02-27 or later received the alert on 2021-03-17.
- [2021-03-08] RIA has published a technical report produced by Cybernetica: “Cryptographic algorithms and their support in libraries and information systems”. The report looks at cryptographic primitives and protocols, federated authentication protocols (OAuth, OpenID), cryptographic libraries and crypto file containers. The use of PGP is not recommended anymore.
- [2021-03-04] The birth registration service in the self-service portal of the population register (rahvastikuregister.ee) allows the lookup of a mother’s name and personal identification code by entering a newborn’s personal identification code. A Geenius journalist tried 50 random personal code combinations and in 9 cases was able to see the child’s mother’s name and personal identification code and was able to apply to be registered as the father of the child. A rate limit for number of queries is not present. The officials do not consider this a risk as it only reveals the fact that someone has given birth. The queries leave a trace that can be seen in the data tracker, but to see who exactly viewed the data the child’s mother must contact the Ministry of Interior. The Data Protection Inspectorate (AKI) sees no problem.
- [2021-03-02] The European Court of Justice ruled that the Prosecutor’s Office in Estonia should not grant access to communications metadata as it is not a fully independent party in the conduct of criminal investigations. A good deal of evidence in thousands of criminal cases may prove inadmissible.
- [2021-03-02] MKM has submitted a draft regulation on the security of communications networks. The change mostly affects the radio equipment on the mobile operator masts. The transition away from Huawei equipment would cost Elisa up to 54 million euros over the next five years, for Telia up to 5 million euros, but for Tele2 there would be no additional costs. The government will vote on the draft bill in the autumn.
- [2021-03-02] The National Audit Office (Riigikontroll) has raised several issues related to X-Road. The audit has found that in many cases X-Road data service providers did not enter into service agreements and the public authorities have not audited whether private operators were implementing adequate security risk mitigation measures. The regulation should clarify which security measures should be implemented at what level. The audit has found that there has been one significant disruption in X-Road services during the last three years due to the failure of key components.
- [2021-03-01] A research article by Sven Heiberg, Kristjan Krips and Jan Willemson (Cybernetica): “Mobile Voting – Still Too Risky?”. The article is mainly based on the report “Mobile voting feasibility study and risk analysis” that was released by Cybernetica in April 2020.
- [2021-02-01] Denial-of-service extortion attack took place against one of the banks in Estonia. As a result, online banking, card payments and internal bank services were disrupted.
- [2021-01-22] Thousands of .ee domains were unavailable for a few hours due to an administrative error made by the Zone Media in their name server solution.
- [2021-01-18] For a few hours hundreds of websites hosted at Zone Media were not available due to a network switch failure.
- [2021-01-15] Denial-of-service attacks took place against Estonian financial institutions and technology companies, accompanied by blackmail letters. The ransom demands were between 0.5 to 10 bitcoins. The longest interruption lasted for about six hours. According to RIA, the attackers did not receive any ransom money from Estonia.
- [2021-02-18] The Ministry of Economic Affairs and Communications (MKM) will establish a new state cyber security department joining the current state information systems department (RISO) and the information society services development department.
- [2021-02-18] The LokiBot malware is being distributed using a spoofed e-mail address of the TalTech rector. The phishing email is written in good Estonian and as a pretext invites recipients to participate in a procurement. As a response, TalTech has enabled DMARC so that recipients could detect emails from spoofed @taltech.ee addresses.
- [2021-02-17] An information security specialist of Viljandi Hospital raised a privacy issue of PDF and DDOC signature files being sent for validation to RIA validation service SiVa. According to RIA, data is not permanently stored on RIA servers and the DigiDoc4 client explicitly asks for permission before the file is sent to RIA. The DDOC file validation logic has been moved server side to simplify the DigiDoc4 client-side software. On a side note, people have forgotten that a few years ago, all documents signed using Mobile-ID were sent to the SK DigiDocService.
- [2020-02-16] At the end of 2020, an ID card authentication bypass flaw was found in the Coop Pank’s internetbank environment. Since Coop Pank also provides a bank link authentication service, the eesti.ee e-service and other e-services supporting the bank link option were also affected. A similar flaw was also found in elisa.ee, printincity.ee and arved.ee.
- [2021-02-12] In January 2021, Estonian banks lost more than 200 thousand euros in Smart-ID and Mobile-ID phishing attacks.
- [2021-02-10] The personal data of 5000 persons was leaked from the Mineral Garden (mineralgarden.org – Living Minerals OÜ) online store. The names, email addresses, phone numbers, home addresses, and shopping cart information of thousands of Mineral Garden customers were searchable on Google. The Data Protection Inspectorate initiated a supervisory procedure. The shop is controversial as it distributes a harmful substance advertised as a miracle cure. Postimees published the name of a parliament member, who was found in the leak to have purchased the substance.
- [2021-02-10] From March 2021, RIA will stop supporting bank link in the state authentication service TARA, because the security of bank link authentication mechanisms has not been assessed according to eIDAS regulation. The change will affect approximately 7000 people, which accounts for about 1% of all authentications in TARA. This move has been long awaited as the use of banks as authentication providers has never had legal basis and security flaws in banking systems have put personal data, that is accessible through the bank link, at risk.
- [2021-02-05] The litigation between PPA and the Estonia ID card manufacturer Gemalto has reached a compromise with Gemalto paying the state 2.2 million EUR in compensation. While the press release only mentions the ID card security incident in 2017, the compromise also covers the claim against Gemalto regarding private key generation outside the ID card.
- [2021-02-03] RIA fixed an authentication man-in-the-middle flaw in the ID card browser signing extension. The flaw (a feature to sign raw values using the authentication key) was quietly introduced in 2017 without a proper security analysis. Swedbank began using the feature to authenticate their clients at the end of 2020, because it was considered to be more reliable than TLS client certificate authentication.
- [2021-02-03] Geenius wrote an article about the recent repeated failures of revoking ID cards of deceased persons. RIA in 2019 initiated a supervisory procedure which still has not been completed.
- [2021-01-25] CERT-EE reported that in December 2020, an ID card authentication bypass flaw was found in the website of quick loan provider (credit24.ee), which would have provided the opportunity to take a quick loan on behalf of a stranger.
- [2021-01-26] Liisa Past and Jan Willemson from Cybernetica, in the Digital Government podcast (30min), talk about the historical and cognitive aspects of i-voting and explain how technology and math ensure a secure and trustworthy solution.
- [2021-01-25] Estonian server hosting company Zone.ee experienced a DDoS attack. The attack lasted a total of five hours and affected the company’s operations.
- [2021-01-25] The Ministry of Economic Affairs and Communications (MKM), the State Information System Authority (RIA) and the State Electoral Service (RVT) signed a cooperation agreement to define the division of tasks between the agencies for organizing i-voting security. MKM will organize a security audit. RVT undertakes the development of the i-voting system and organization of security testing and risk analysis. RIA will provide hosting services and perform security testing and logging. RVT and RIA will undertake the procurement of a technical and legal analysis of the possibility of voter identification by facial biometrics. The analysis should be conducted by 1 June 2021.
- [2021-01-24] The Estonian government recently fell and a new one was formed with a new Minister of Foreign Trade and IT: Andres Sutt (Reform). The political position on i-voting has now significantly changed as the coalition agreement seeks to develop a mobile app for i-voting.
- [2021-01-14] The Ministry of Economic Affairs and Communications (MKM) announced a public procurement tender for the audit of the i-voting system. The purpose of the audit is to get a reasoned assessment of the security of the election information systems and proposals for improvements that can raise the level of security. The audit shall be performed by internationally renowned auditors and information security specialists. The deadline for presenting the project’s final report is October 1, 2021.
- [2021-01-05] On 2021-01-05, Smart-ID, Mobile-ID and ID-card authentication and signing services were disrupted for a few hours. The state does not know the reason behind the failures and did not answer whether the question of whether a supervisory procedure will be initiated against SK ID Solutions AS.
- [2021-01-04] On 2021-01-04, SK ID Solutions AS failed to rotate the OCSP signer’s certificate, as a result, for 10 hours OCSP responses were signed with an expired certificate.
- [2020-12-22] A research article by Valeh Farzaliyev, Kristjan Krips and Jan Willemson (Cybernetica): “Developing a Personal Voting Machine for the Estonian Internet Voting System”. The article describes a proof-of-concept i-voting client implemented on a microcontroller. The client only supports Mobile-ID for casting an i-vote. The source code of the client and build instructions have been published in GitHub.
- [2020-12-18] RIA has published a technical report produced by Cybernetica: “Analysis of planned architectural changes in Open-eID”. The work analyzes the proposed alternative to TLS certificate authentication – authentication using a new web browser extension that RIA is currently developing.
- [2020-12-04] The Data Protection Inspectorate (AKI) initiated a supervisory procedure against the Health Board (TA) in connection with the COVID-19 data leak of 9158 persons. However, the Health Board will not be fined, because AKI does not have the power to fine another state agency.
- [2020-12-30] A new version of the Election Information System (VIS) is being developed which will introduce an electronic list of voters making it possible to cancel an already given i-vote on election day with a paper vote. News portal Geenius tried to establish whether the authorities are performing background checks on the employees of private companies, Nortal and Cybernetica, involved in the development of the information systems for elections. Not clear whether such checks are needed as the security of the elections should not depend on the integrity of the developers.
- [2020-12-29] Äripäev’s Russian-language website dv.ee experienced a large-scale DDoS attack. Äripäev’s editor-in-chief believes that the attacks are related to the published story about cryptocurrency millionares in Ida-Viru.
- [2020-12-28] Arnis Parsovs (UT) has published the draft of his PhD dissertation “Estonian Electronic ID card and its Security Challenges”.
- [2020-12-22] An anonymous interview was given for the Kanal 2 television channel where the coronavirus vaccine plan was criticized. The Health Board used a freeware program downloaded from the Internet to remove the voice distortion added to anonymize the source. As a result, the whistle blower was identified and asked to resign from the Health Board.
- [2020-12-18] The Minister of Finance Martin Helme (EKRE) said that Estonian e-elections are not verifiable. The head of the state electoral service refuted the statements of the minister.
- [2020-12-16] Sten Mäses (TalTech) defended his PhD thesis “Evaluating Cybersecurity-Related Competences through Simulation Exercises”.
- [2020-12-16] For years, an IT employee with a state secret permit mined cryptocurrency at the Ämari air base, bought expensive equipment with the Estonian defense budget and smuggled computer components out of the base to sell them in online forums. The purchased goods were not accounted for in the air monitoring division. From 2015 until his arrest in January 2019, the man illegally used devices belonging to the Defense Forces to extract cryptocurrencies worth 30,404 euros and misappropriated at least 190 devices with the total value of 48,935 euros.
- [2020-12-08] The Ministry of Interior sells the residence addresses entered in the population register to commercial enterprises for the purpose of sending advertisements or invitations to participate in surveys. Names, e-mail addresses, dates of birth and personal identification codes are not disclosed to the companies, but the addresses can be purchased by specifying the characteristics such as age, gender and mother tongue. People can opt-out by restricting access to their data in the e-service at rahvastikuregister.ee. In 2019, the data was sold to five customers and the state earned 8,205 EUR.
- [2020-12-07] The Estonian Foreign Intelligence Service (EFIS) allowed an active intelligence officer to give an interview to Postimees. The interview followed strict secrecy rules and Postimees did not learn the agent’s identity. This activity is likely related to the job ads recently put out by the Estonian Foreign Intelligence Service.
- [2020-12-07] The 6th Interdisciplinary Cyber Research conference took place in a semi-online format. The video recordings and proceedings are available.
- [2020-12-02] By exploiting a flaw in the content management software Drupal, attackers compromised servers of the Ministry of Economic Affairs and Communications, the Ministry of Social Affairs and the Ministry of Foreign Affairs. The attackers downloaded 350GB of data from a total of 11 servers. The data mostly consisted of the data in the document management system. However, the attackers were also able to download a database containing data about 9158 corona-positive persons and their close contacts, that was stored as a LimeSurvey database in the Drupal instance of the Health and Welfare Information Systems Center (TEHIK). RIA initiated supervision proceedings, the Data Protection Inspectorate initiated its own proceedings and the Central Criminal Police initiated criminal proceedings of obtaining illegal access to the systems. Members of Parliament suspected that data from the national car registry had also been leaked, but this information was not confirmed.
- [2020-12-01] RIA is developing an environment which will provide the possibility of installing additional smart card applications on the ID card. There are about four companies working on the creation of apps. The proof of concept will be completed by March 2021. RIA will not charge for apps, but it is possible that the use of the app will require a certain fee to be paid to the companies providing the apps.
- [2020-12-01] Internet shops of pharmacies Apotheka, Südameapteek and Azeta.ee allowed anyone to query another person’s prescriptions by entering their personal ID code. The Data Protection Inspectorate issued a precept-warning with a one-day compliance deadline and a penalty payment of 100,000 euros to these three pharmacy chains. The chains complied with the precept by the deadline and suspended the possibility for buying a prescription drug for another person from the e-pharmacy.
- [2020-12-01] Citizen Lab reported that the Estonian Education and Research Network (EENet) hosts Circles surveillance technology that exploits weaknesses in the global mobile phone system SS7 to track people’s phone calls, text messages and location, from anywhere. The technology is sold only to governments, therefore the best guess is that it has been purchased by the Estonian Foreign Intelligence Service to spy on targets abroad. RIA, who are the end-users of the IP addresses, acknowledged that they were used by RIA’s “contract partners”, but refused to name them. Since RIA refused to clarify whether the use of these IPs complied with the EENet’s network policy, EENet blocked traffic to these IPs.
- [2020-11-27] EveryPay AS, which offers payment solutions for Estonian e-shops (used by mTasku), made a mistake which resulted in the bank accounts for a few hundred people being emptied. According to the company, it was a human error in the development which the automatic tests did not catch. All affected customers have received a refund.
- [2020-11-21] Õhtuleht journalists tailed a ministerial car to reveal its misuse. The Minister of Justice asked the Prosecutor General to have the journalists’ activities investigated on the basis of section 137 of the Penal Code – the section on unauthorized surveillance. The Minister of Justice later claimed that this was a misunderstanding.
- [2020-11-21] A book chapter by Kärt Salumaa-Lepik (TalTech), ￼Tanel Kerikmäe (TalTech) and Nele Nisu (Ministry of Social Affairs): “Data Protection in Estonia”.
- [2020-11-20] IT minister Raul Siem (EKRE) proposed using face recognition in i-voting to cut out voter fraud. The Electoral committee responded that the idea is not bad, but may be expensive. RIA supports the idea of using biometrics to identify a person, but acknowledged that this requires in-depth analysis.
- [2020-11-17] RIA held an online information day. Among the topics covered: new ID card browser extension; new CDOC 2.0 encryption format; new Mobile-ID solution; remote ID card certificate update and remote applet loading; the states authentication service TARA; the new information security standard. The video recordings and the transcribed Q&A are available.
- [2020-11-16] The Ministry of Economic Affairs and Communications (MKM) is planning an independent audit and security analysis on i-voting, however, the details of the audit are still unclear. The ministry plans to propose a model where the security management of i-voting will be two-stage – RIA organizes cyber security and MKM checks the whole process and gives the National Electoral Committee an opinion on whether cyber security is organized at a sufficient level to use electronic systems for conducting elections.
- [2020-11-12] SK ID Solutions AS annual conference was replaced with a video presentation. Among the topics covered: SK team has grown; Smart-ID solution is to be implemented in Iceland; SK has teamed up with TalTech to pre-emptively identify and counter phishing scams.
- [2020-11-08] Minister of the Interior Mart Helme (EKRE) made a statement (without providing any evidence) that election results are falsified in favor of a particular political party by those with access to i-votes. The head of the state electoral service refuted all statements of the minister. The Minister of the Interior later resigned due to other unfounded claims in the context of the U.S. presidential elections.
- [2020-11-01] A cyber defense exercise “Cyber Battle of Tartu” for pupils and students was held at the Delta Center in Tartu. The competition was organized by CybExer Technologies. The participants had to find vulnerabilities in the school’s information system, stop the attack on the hospital’s vital systems and prevent a cyber attack aimed at opening the museum’s treasury.
- [2020-10-29] In the second half of July this year, a new way of banking fraud began to spread – telephone phishing calls. As of the beginning of October, the police has reported 90 cases in which fraudsters have been able to cause damage totaling 200,000 euros. Criminals spoof a bank’s Caller ID, use waiting music, read out the customer’s personal identification code or other personal data, and use all means to create the illusion that the victim is indeed talking to a bank employee. The criminals create fear and state that an action is urgently needed. The victim’s phone receives Mobile-ID or Smart-ID authentication requests and the victim thinks that he is being identified by a bank employee. Scammers are speaking Russian and the victims are mainly the Russian-speaking customers. From the audio recording of the fraudulent call to Swedbank, it is possible to hear that the scammers operate a call center – in the background similar calls can be heard being made to other potential victims. Also the phishing e-mails sent on behalf of banks are once again spreading.
- [2020-10-28] Draft regulation specifies requirements for handling interruptions in vital services. The telecommunications operator must ensure that the service is restored within 24 hours if 1000 to 30 000 end users are affected and within 8 hours if more than 200,000 users are affected by the failure.
- [2020-10-26] Cybercriminals stole patient data from a Finnish psychotherapy center. Worries are that the same could happen in Estonia.
- [2020-10-25] The Ministry of Finance plans to register the loans of residents in a central database.
- [2020-10-22] A 20-year old man in Tartu had repeatedly ridden a bicycle from the Tartu Bike Share System without authorization by using a friend of a friend’s password. It was only discovered after the bike was ridden for more than an hour in one session resulting in the 1 EUR fee being sent to the account holder. The man was identified using security camera footage. He pleaded guilty and promised to compensate for the damage caused. The police imposed a financial penalty on the man in misdemeanor proceedings.
- [2020-10-21] The Ministry of Economic Affairs and Communications and the Ministry of Interior have made amendments to ban the use of anonymous SIM cards, requiring identification verification for using pre-paid SIM cards. The amendments are needed to help solve drug offenses as well as other organized crime, where anonymous calling cards are often used. The amendments would also affect messaging app services like Skype, WhatsApp and Viber, requiring them to register as communications service providers and require the same degree of ID verification for their users.
- [2020-10-16] Estonia holds the second place in the world in terms of internet freedom after Iceland. Estonia did not receive all the points because, among other things, the Tax and Customs Board can oblige Estonian service providers to block illegal gambling sites.
- [2020-10-16] A recent audit conducted by the Data Protection Inspectorate (AKI) finds that local municipality governments often unjustifiably mark documents as “information intended for internal use”. Most commonly the wage of employees and their vacation information is hidden. There are rumors that when signing an agreement, some personal information is included on purpose so that access restrictions could be applied. At the same time, there are plenty documents available to the public, containing the full names and contacts of private persons. Sometimes personal data leaks by including personal data in the public title of a non-public document.
- [2020-10-09] The Mobile-ID service was disrupted from 11:20 to 14:30.
- [2020-10-06] The Ministry of Justice has made amendments to prevent mass-download of personal data from the public databases of court decisions and court calendars. Already on 2020-05-08, before the amendments were passed, a robot trap unexpectedly appeared on the website of Rigi Teataja without a legal basis. Previously, journalists had mass-processed the data to inform the public about the candidates of Riigikogu and municipality elections that have been criminally sentenced.
- [2020-10-01] CERT.LV organized the online conference “Cybershock 2020”. Among the participants were Estonians Jaanus Kääp (Clarified Security) and Hans Lõugas (CybExer Technologies).
- [2020-09-30] The Ministry of Economic Affairs and Communications has finished a regulation bill which will restrict the use of non-EU telecoms tech in Estonia, including those from Huawei. Initially, these requirements will affect the providers of vital services such as the communication companies, which have at least 10,000 clients – Telia, Elisa, Tele2, Levikom and STV. Huawei says it will challenge the bill. Elisa CEO claims that there is no real risk from Chinese tech and that the ban on Huawei’s equipment will cost Elisa tens of millions of euros.
- [2020-09-29] Three Romanian nationals were arrested in Romania for being suspected of organizing the Mobile-ID and Smart-ID phishing attacks that started in 2019. The aggregate sum stolen from close to 40 victims totals over €100,000. Estonian police detectives took part in the operation that was carried out in Bucharest. The prosecutor’s office is applying for the suspects to be extradited to Estonia for court proceedings.
- [2020-09-29] The procurement of a new Mobile ID solution is in process. An offer was received from two companies: the first applicant is the current partner SK ID Solutions that wants to continue providing the service, but the second applicant is the Belgian company Belgian Mobile ID, which was set up in 2016 by seven mobile operators and banks. The procurement doesn’t constrain technology too much and assesses the proposals individually. The solution must allow the change of crypto algorithms without going to a service office (i.e., remotely). For the enrollment it can support face-to-face identification, digital identification and biometric identification. Suspension of the certificates must not be supported.
- [2020-09-25] A research article by Mihkel Solvak (UT): “Does vote verification work: usage and impact of confidence building technology in Internet voting”. The study finds that: i-vote verifiers are younger males and Linux users with the verification rate especially high in the 18 to 40 age group; voting from abroad clearly leads to more verification; the cast-as-intended verification leads to higher confidence that ones vote was taken into account.
- [2020-09-18] From August, RIA started monitoring procedures for the implementation of information security measures for all critical databases in Estonia. A total of ten critical databases have been defined: e-file (e-toimik), land register, commercial register, Riigi Teataja information system, land cadastre, state treasury information system, taxpayer register, population register, register of identity documents and state pension insurance register.
- [2020-09-17] The investigative journalism show “Pealtnägija” investigated a scam of fictitious real estate ads targeted at foreign students. While the victims believed that they were transferring money as a deposit for an apartment, they effectively paid an Estonian Bitcoin trader for the scammer’s purchase of bitcoins.
- [2020-09-17] Government will revoke 10 citizenships acquired illegally as the result of a widespread fraud that was committed during the years of 2013-2015 by a criminal group involving PPA employees. Previously, Estonian citizenship has only been revoked once by a government decision in 2016.
- [2020-09-16] A research article by Sven Heiberg (SCCEIV), Kristjan Krips (Cybernetica/UT) and Jan Willemson (Cybernetica/STACC): “Planning the next steps for Estonian Internet voting”. The authors mostly reiterate the discussion points in the report of feasibility of i-voting on smart devices.
- [2020-09-06] A research article by Valentyna Tsap (TalTech), Silvia Lips (TalTech) and Dirk Draheim (TalTech): “Analyzing eID Public Acceptance and User Preferences for Current Authentication Options in Estonia”. The study finds that the ID card is used the most to access e-services; Smart ID holds the second position; username/password and Mobile-ID shares the third choice.
- [2020-09-01] Kaija Kirch, previously a document expert at the Estonian Police and Border Guard Board (PPA), now works for Cybernetica.
- [2020-08-28] After two years, the court has not yet started to resolve the case of PPA vs Gemalto. In August 2019, a preliminary hearing was held where the possibility of finding a compromise was discussed. However, as of 2020-08-28 no compromise has been reached and both parties have submitted a number of different requests that the court has to resolve.
- [2020-08-25] CERT-EE identified almost twenty websites that did not check the certificate revocation information when authenticating users with an ID card. In two cases, there was also no check on whether the certificate was signed by SK ID Solutions. This effectively allowed ID card authentication bypass in these services.
- [2020-08-25] BSc thesis by Sander-Karl Kivivare (UT): “Secure Channel Establishment for the NFC Interface of the New Generation Estonian ID Cards”. The thesis describes the cryptographic protocol that is used to communicate with the Estonian ID card over the contactless interface and provides detailed instructions with code examples in Python, to help software developers create applications that can make use of the new NFC interface introduced in the ID cards issued since December 2018.
- [2020-08-25] BSc thesis by Jekaterina Gorohhova (UT): “Malicious Android app for security testing”. In the context of this thesis, an Android app was developed to demonstrate how a malicious app with a given set of Android permissions can abuse them to collect personal data stored on a user’s device and then send it out.
- [2020-08-21] RIA has banned the social media app TikTok on all phones belonging to RIA employees and has also recommended the ban to other state institutions. The app is considered a security threat as it is collecting far more information about its users than necessary.
- [2020-08-20] July statistics from the state authentication service TARA show that Smart-ID became the most popular identification tool outperforming the ID card. The number of government agencies using TARA in their e-services is currently between 30-40, but RIA expects it to grow to over a hundred. RIA plans to remove the banklink authentication option from TARA at the end of 2020, as the banks are accessed by the same ID card, Mobile-ID and Smart-ID that are directly supported by TARA as well.
- [2020-08-20] Estonia launched the coronavirus exposure notification app “HOIA” (Keep). The app was created in cooperation with 12 Estonian companies – Cybernetica, Fujitsu Estonia, Guardtime, Icefire, Iglu, Mobi Lab, Mooncascade, Velvet, FOB Solutions, Heisi IT OÜ, Bytelogics and ASA Quality Services OÜ. The development was done at the companies’ own expense. The state only paid for an independent security audit that cost 30,000 EUR. The Data Protection Inspectorate and Chancellor of Justice deems the app suitable as the privacy of its users is protected. RIA also recommends using the app, but notes that the requirement for bluetooth to be constantly on creates additional risks.
- [2020-08-14] Research article by Arnis Parsovs (UT): “Estonian Electronic Identity Card: Security Flaws in Key Management”. The article, among other things, provides details about the malpractice of the Estonian ID card manufacturer Gemalto in generating private keys outside the ID card.
- [2020-08-13] Tartu County Court convicted Dennis Einasto of computer fraud that caused nearly €28,500 in damages, of illegally obtaining access to computer systems and of large-scale money laundering. Overall, he was sentenced to 4.5 years in jail. Einasto’s computer contained cryptocurrency and web hosting databases hosting large numbers of usernames and passwords, but which did not belong to him. The cyber crimes were committed on an international scale.
- [2020-08-05] The passwords and e-mail addresses of 27,000 users of an unnamed Estonian advertising portal was leaked. The data was accessible for almost a year without the portal being aware of it. The portal has informed users about the leak and the same account data can no longer be used to enter the environment. Although the portal did not inform the Personal Data Inspectorate (AKI) in time, AKI has not yet made a decision on whether supervision proceedings should be initiated.
- [2020-07-28] Due to a human error, the Ministry of Justice made a report in their document register public that contaied personal data of approximately 1000 people who sought legal advice. The information listed names and the reason the person had obtained legal aid. The Ministry of Justice has not informed the affected persons about the leak as this would have meant further processing of the data, which was intended to be avoided. According to the ministry, the article published by the media is enough.
- [2020-07-27] BSc thesis by Silver Maala (UT): “A Proof of Concept Malware for Interacting with the Smart-ID Android Application”. The thesis presents a proof-of-concept Android malware that can take over the Smart-ID app running on a rooted Android device.
- [2020-07-23] The National Audit Office has published the audit report “Effectiveness of the e-Residency programme”. The report finds that foreigners with a criminal background and/or business ban have become e-Residents, as PPA does not have the capability to perform sufficient background checking for foreigners. Another noteworthy finding is that only 10% of e-Residents have renewed their digital IDs after expiration.
- [2020-07-23] The Ministry of the Interior proposed a bill that would give law enforcement organizations backdoor access to encrypted messaging applications. The idea faced sharp criticism and later the Ministry of Justice rejected the proposal due to the lack of a thorough analysis of the consequences.
- [2020-07-21] The government has made amendments to the “Statutes of the Health Information System” allowing the authentication of subjects using “ID card, Mobile-ID, Smart-ID or other equivalent device”. Historically, access to the Health Information System has only been granted based on authentication using the ID card. The security requirements have likely been relaxed due to the pressing coronavirus situation.
- [2020-07-21] Kert Kingo (EKRE), a member of the Riigikogu’s Legal Affairs Committee, explained why EKRE is so worried about i-voting. According to her, the distrust is created by the fact that it is possible to give an i-vote using another person’s ID card and that i-voting data is destroyed immediately after the elections.
- [2020-07-10] Research article by Kaido Kikkas (TalTech) and Birgy Lorenz (TalTech): “Training Young Cybersecurity Talents – The Case of Estonia”. The paper describes the Estonian experience with the CyberOlympics/CyberSpike program from 2017–2019 and reflects on the lessons learned about talent building in cybersecurity.
- [2020-07-07] Research article by Laura Kask (UT/Proud Engineers) and Kristiina Laanest (RIA): “Determining the Time of Electronic Signing: Legal Requirements and Technological Possibilities”. The authors suggest establishing the time from the timestamp as the time of signing, but fail to address the issues raised in the original article “Time of signing in the Estonian digital signature scheme” by T.Mets and A.Parsovs.
- [2019-12-19] A research paper by Abasi-amefon Affia (UT): “Assessing the NFC Unlock Mechanism of the Tartu Smart Bike Share System”. The paper describes a flaw in the Tartu Smart Bike Share System that can be exploited to create a clone of a victim’s Tartu bus card, which can then be used to unlock the bikes. To create the clone, only the card number printed on the victim’s Tartu bus card is needed (valid numbers can be guessed). The flaw has now been partially mitigated as cloning is still possible, but the task is not that trivial.
- [2020-07-15] MKM is studying the possibility to notify citizens via alternative channels such as WhatsApp and Facebook.
- [2020-07-02] The Estonian Ministry of Foreign Affairs organized an open master class on cyber diplomacy with experts from around the world. Video recording is available on Youtube.
- [2020-07-01] SK intermediate CA certificates have been issued with the “OCSP sign” extension which means that revoking these intermediate CA certificates in the event the key gets compromised will be problematic. According to CA/B Baseline Requirements these certificates have been misissued and SK should revoke them. SK has responded that it does not plan to revoke the certificates and is ready to leave Mozilla CA program earlier than planned (the last 4 still valid TLS server certificates issued by SK will expire by September 29, 2020).
- [2020-07-01] The work of Smart-ID and Mobile-ID was disrupted for about ten minutes.
- [2020-06-30] The state has stalled plans to include information from all guests who stay in accommodation establishments in Estonia in a single police database.
- [2020-06-29] The Interdisciplinary Cyber Research (ICR) conference 2020 has been rescheduled to December. The Cyber Security Summer School has been renamed to Cyber Security Winter School and moved to December. The theme for the winter school will be “Transport as a Service”.
- [2020-06-29] In the period of COVID emergency, Elisa for more than 1,700 people provided a solution for automated Mobile-ID issuance using a self-service portal. The solution was accepted by SK and their auditors.
- [2020-06-27] The 50 EUR limit on contactless card payments put in place during the coronavirus emergency situation will remain in place.
- [2020-06-22] In May fraudsters persuaded a victim to create a Smart-ID account over the phone. The created Smart-ID account was used by fraudsters to purchase services from several financial service providers.
- [2020-06-17] Research article by Valentyna Tsap (TalTech), Silvia Lips (TalTech) and Dirk Draheim (TalTech): “eID Public Acceptance in Estonia: towards Understanding the Citizen”. The researchers conducted a survey among Estonian eID users to find out which of the existing eID authentication options are preferred and why.
- [2020-06-04] The use of eID increased in the period of COVID emergency. As of May, 35 institutions with as many as 114 different applications had joined the state authentication service.
- [2020-06-09] Lithuanian Cyber Security Center found 61 vulnerabilities in Chinese security cameras Hikvision and Dahua used by PPA. According to PPA, the cameras are not available on the public network and PPA has verified that the cameras do not communicate with servers that are not located in NATO or EU member states.
- [2020-06-02] Thanks to IT Academy funding, TalTech has established the “Centre for Hardware Security” led by professor Samuel Pagliarini. The main research directions include the design of reliable microelectronics, measures to prevent reverse engineering, side-channel attacks, the deployment of cryptographic hardware, secure system design tools, and hardware Trojans and backdoors. The long term goal is to build all the right competences to put Estonia “on the map” of Hardware Security and IC design in general.
- [2020-06-01] Research article by Arnis Parsovs (UT): “Solving the Estonian ID Card Crisis: the Legal Issues”. The study analyzes to what extent, while solving the 2017 ID card crisis, the involved parties were able to precisely follow the applicable laws and regulations in the field.
- [2020-05-28] Ahto Truu (TalTech) defended his PhD thesis “Hash-Based Server-Assisted Digital Signature Solutions” and gave an interview in Geenius about universal digital signing and its dangers.
- [2020-05-28] RIA provided an explanation for why they recommended that the National Electoral Committee not enable Smart-ID for i-voting in the 2021 elections. To summarize: (1) Smart-ID has been used in successful attacks; (2) Smart-ID is not a state provided eID solution – if allowing i-voting with Smart-ID, there is no reason to not enable i-voting with other private eID solutions; (3) not enough experience to say if Smart-ID biometrical enrollment is secure enough; (4) the state does not have enough control over Smart-ID to intervene in case of emergency;
- [2020-05-20] The Estonian National Electoral Committee has reviewed 25 suggestions from the i-voting working group and has provided their decision on each suggestion. The most important decisions included not enabling i-voting with Smart-ID and i-voting with a mobile app for the 2021 elections.
- [2020-05-27] SK had a scheduled maintenance on May 28 and 29 due to which the use of ID card, Mobile-ID and Smart-ID was affected.
- [2020-05-27] The Estonian Students Society organized a public discussion about cyber security. Participants in the discussion: Siim Alatalu (Head of EU CyberNet), Märt Hiietamm (Head of RIA Analysis and Prevention Department), Uku Särekanno (European Union IT Agency), Ragnar Õun (Head of RIA Critical Information Infrastructure Protection Department) and Ilmar Üle (CERT-EU).
- [2020-05-26] Dan Bogdanov (Cybernetica) in an interview explains the privacy principles behind the Estonian coronavirus app.
- [2020-05-26] Research article by Anne Veerpalu (UT), Liisi Jürgen (UT), Eduardo da Cruz Rodrigues e Silva (TalTech) and Alex Norta (TalTech): “The hybrid smart contract agreement challenge to European electronic signature regulation”, assesses whether the signature on a smart contract used in an ICO process is functionally equivalent to the qualified electronic signature under eIDAS.
- [2020-05-25] A research article by Mart Oruaas (Cybernetica) and Jan Willemson (Cybernetica/STACC): “Developing requirements for the new encryption mechanisms in the Estonian eID infrastructure”.
- [2020-05-21] Sorainen’s partner, lawyer Kaupo Lepasepp, writes that the digital signature is essentially unforgeable.
- [2020-05-20] RIA has compiled a comprehensive overview of cyber security in Estonia titled “Cyber Security in Estonia 2020”. The compilation mostly consists of excerpts from annual reports of different public sector organizations.
- [2020-05-20] UT student Siim-Alexander Kütt in his BSc research found a flaw in the Tartu Bike Share system which allowed anyone to query the location of any bike and the user ID of the person riding the bike. Turns out that Tartu City previously paid 12 960 EUR to Estonian company SecTeam for a black-box security audit of the system.
https://ee.linkedin.com/in/arvo-saalits took a credit for discovring the previous leak in July 2019.
- [2020-05-18] The Data Protection Inspectorate released its yearbook describing in more detail the data leak in Tartu Bike Share system discovered in July 2019. Arvo Saalits in his Linkedin profile has taken the credit for the discovery of the flaw.
- [2020-05-19] LHV bank accidentally leaked names of 200 LHV customers by sending a mass email with the recipients in the CC field. According to the Data Protection Inspectorate, the data controller must notify the Inspectorate of a personal data breach within 72 hours of the incident, but whether it is a breach or not, the bank must assess it itself.
- [2020-05-14] From May 14 to 16 a Smart-ID phishing campaign was run imitating SEB bank page.
- [2020-05-14] MKM plans to hire an official who will focus on the i-voting risks. In order to apply, the applicants had to write an essay on the topic “Problems of risk management related to e-elections”. Five people applied but the results are not yet known.
- [2020-05-12] KAPO released their annual review describing a flaw in the free email provider’s mail.ee website (opening an email triggers XSS). By opening a specially crafted email, mail.ee user account was automatically configured to enable an email redirect to the attacker’s email address. The flaw was exploited against a small number of mail.ee users who were of interest to a foreign country. Another attack described in the review is a phishing email used to try to gain access to some email accounts of the University of Tartu. According to KAPO, the attack was organized at the instructions of the government of Iran.
- [2020-05-12] Riigikogu amended the Electronic Communications Act providing that in order to ensure national security, the government may, by a regulation, impose an obligation on a communications undertaking to notify the hardware and software used in the communications network and to apply for a permit to use the hardware and software of the communications network. These amendments are most likely targeted to exclude Huawei from 5G deployment.
- [2020-05-07] RIA’s new yearbook provides a good overview of the current and upcoming work of RIA – the state network, DigiDoc4 software, e-voting, critical information infrastructure protection and CERT-EE activities. Some highlights:
– Starting from July 2021, the ID card chip will contain the cardholder’s picture and fingerprints in addition to their personal data file.
– RIA is considering enabling a single sign-on service (SSO) to be used for the state authentication service.
– RIA is introducing a consent service to allow citizens to share their health and other data with service providers (e.g., health insurers).
- [2020-05-06] TalTech and Estonian Maritime Academy received 2.5 million euro funding to establish a maritime cyber security center. The five-year project plans to supplement the existing master’s and doctoral study programs, organize trainings and conferences.
- [2020-04-22] Cybernetica released the report “Mobile voting feasibility study and risk analysis”, which found that introducing a mobile i-voting application has its risks but is possible. The National Electoral Committee, however, in their 2020-05-20 meeting decided not to introduce it in the 2021 elections.
- [2020-04-21] EKRE has formed a committee in riigikogu with the aim to make i-voting transparent. Former minister of IT and foreign trade Kert Kingo is chairman of the committee.
- [2020-04-18] According to RIA, in April 18 denial-of-service attacks sharing a similar handwriting were executed against the e-services eesti.ee, id.ee, emta.ee, elron.ee and elisa.ee. RIA was also notified about DoS attacks against eKool.eu and SK ID Solutions. On April 22, the availability of Luminor’s bank website was disrupted as a result of a DDoS attack on a Lithuanian service provider.
- [2020-04-17] RIA has made its internal chat and file sharing platform publicly available. The services were built using open source solutions Rocket.Chat and Nextcloud. The solutions have been pentested by the order of RIA. A Twitter user noticed that the chat service has a public list of its users with their last names, birth dates and personal ID codes.
- [2020-04-15] A UT professor obtained information from UT about the student who left negative feedback about the professor in the anonymous study information system (OIS) feedback form.
- [2020-04-15] The pensioner who organized document forgery in PPA was sentenced to long-term imprisonment.
- [2020-04-15] The use of Smart-ID was disrupted between 11:18 and 23:00. The error was caused by a problem with the database.
- [2020-04-13] The Cyber Defense Unit of the Defense League provided support for the Health Board by processing and visualizing COVID data using various data sources.
- [2020-04-06] According to RIA a fraud scheme is becoming popular, where criminals send a convincing e-mail to HR managers in the name of the employee requesting their salary to be transfered to a new bank account from the coming month.
- [2020-03-26] Podcast with Marko Belzetski (Clarified Security) discussing Android and web application penetration testing.
- [2020-03-24] The state has analyzed the spread of the coronavirus by analyzing mobile phone location data. This raised privacy concerns and the Chanchellor of Justice examined the constitutionality of the use of data. Aggregate data was prepared by mobile operators and sent to Statistics Estonia. Google used its data to provide similar mobility analysis.
- [2020-03-23] Research article by Luukas Ilves (Guardtime) and Anna-Maria Osula (Guardtime/TalTech), “The Technological Sovereignty Dilemma – and How New Technology Can Offer a Way Out”, discusses 5G and related topics.
- [2020-03-12] Statistics from the state authentication service shows the usage popularity of eID tools: ID cards are used 44% of the time, Smart-ID 30% and Mobile-ID 22%.
- [2020-02-04] MKM has published the report “Estonian Cybersecurity R&D Concept” prepared by TalTech. The report gives a good overview of the research institutions and people conducting cybersecurity related research in Estonia.
- [2020-02-04] A US journalist wrote an article about Estonia and cybersecurity featuring Cyber Defense League and others.
- [2019-12-18] A member of the i-voting working group, Heldur-Valdek Seeder, published video recordings of the working group’s meetings on a personal blog. Initially, the minister Kert Kingo wanted to classify the content of the working group, but the majority of members did not support this idea, hence there may be no basis to request removal of the published videos.
- [2019-06-05] MSc thesis by Gregor Johannson (TalTech): “Technical Prerequisites for Enabling Third-Party Applications on the New Estonian ID-card”.
- [2019-06-06] BSc thesis by Pavel Kargin (TalTech): “Testing the Compliance of the Estonian Electronic Document to the Technical Specification”.
- [2018-05-31] BSc thesis by Kristel Merilain (TalTech): “Business and Risk Analysis of Electronic Identity Tools Used in Estonia”.
- [2020-03-10] The company Unicount has developed an e-service which allows companies to be registered in Estonia using Smart-ID. Companies in the Estonian Business Register can only be directly registered using an ID card or Mobile-ID. The Smart-ID company registration service provided by Unicount is using the company registration API that has been offered since 2017 by the Estonian Business Register.
- [2020-03-06] A large-scale cyber attack simulation exercise developed by CybExer Technologies was conducted bringing together 12 Estonian companies and institutions.
- [2020-03-03] Yet another cybersecurity index has placed Estonia in the 58th position. According to the study, 1.59% of mobiles and 13.2% of computers in Estonia are infected with malware.
- [2020-02-26] For several years, the Estonian ID card software recognized digital signatures created with revoked certificates as valid signatures. Software libraries used by Estonian e-service providers are likely still affected. The EU-developed eSignature DSS library and libraries used in other EU countries are also affected.
- [2020-02-26] A Smart-ID account can now be created using biometrics. In the enrollment process the Smart-ID app over NFC retrieves person’s photo from their biometrical passport and uses phone’s camera to perform face recognition. For biometrical passport reading Smart-ID uses Dutch company’s InnoValor NFC-based ReadID software, but for face recognision a cloud service provided by UK company iProov. Contrary to the claims, the security guarantees provided by this technology are quite weak, since the facial verification technology at best can verify only the presence of the person and not their intent to create a Smart-ID account. Fortunately, the person is required to confirm their intent either using previous Smart-ID account (including non-qualified) or a security code sent over email or SMS.
- [2020-02-26] Self-censorship at UT. The university decided not to publish an article in the University of Tartu magazine, Universitas Tartuensis, about a cooperation agreement between the university and Huawei. Since the Chinese company Huawei is perceived as a potential threat to national security, the Huawei topic has become sensitive.
- [2020-02-25] Teachers and system owners of e-school environments are discussing the acceptable duration of an authenticated session after which the user is automatically logged out. According to RIA, session length is not specified in the ISKE implementation guide and it is up to the system owner.
- [2020-02-20] The e-shop reset.ee closed its doors leaving at least 275 customers without money. The police do not consider it a scam but a a civil offense, inviting victims to file a claim in the bankruptcy proceedings.
- [2020-02-12] The state pays for Smart-ID on a per use basis – the more users use Smart-ID, the more the state will have to pay (SK offers volume discounts). Smart-ID users outnumber Mobile-ID users two-to-one today. At the end of 2019, there were 230,000 Mobile-ID users and 430,000 Smart-ID users.
- [2020-02-12] The state’s Mobile-ID contract will expire in 2022. RIA and PPA will announce the procurement for a new eID solution this year. The state does not want to copy Smart-ID, but instead use something else possibly based on biometrics.
- [2020-02-12] The Estonian Foreign Intelligence Service has published their 2020 report. It contains a section on Russian cyber operations in 2019 and mentions potential Chinese threats including Huawei.
- [2020-02-12] A ridiculous incident was reported which highlighted the core weakness in Mobile-ID (and Smart-ID). A customer of Luminor Bank unexpectedly logged into a stranger’s bank account. The customer accidentally entered the wrong username and the correct owner of the username confirmed the login with his Mobile-ID. The bank acknowledged that similar incidents have happened before. SEB bank also confirmed similar incidents.
- [2020-02-12] RIA is analyzing the risks of enabling i-voting on iOS and Android mobile devices. It will also have to be decided whether to allow voting using Smart-ID in the next elections. The final decision will rest with the National Electoral Committee.
- [2020-02-11] RIA and PPA launched a cybercrime information website (cyber.politsei.ee) where people are asked to report suspicious emails, account hijacking, money stolen from accounts, etc. The data will be used to inform the public about new crime schemes and to help investigate cases.
- [2020-02-10] After the Tartu Smart Bike Share website had a security flaw which gave access to personal data of registered users, the Data Protection Inspectorate conducted a proceeding on the activities of the Tartu City Government over a longer period of time and concluded that the data leak did not pose a risk to users.
- [2020-02-05] The Estonian ID software introduced an option to sign documents with Smart-ID. Smart-ID signing in DigiDoc4 client uses the additional security measure of the Smart-ID app – the users have to choose the right verification code out of three (similar to LHV bank). Smart-ID support is also planned for Android and iOS DigiDoc apps.
- [2020-02-04] Remote verification will be launched in the e-Notary self-service portal enabling notarial acts to be carried out at Estonia’s foreign representations without physically visiting a notary’s office. In order to perform remote verification, the customer will need an Estonian ID-card, digital ID, Mobile-ID or an e-resident’s digital ID. The personal identification system of the participants will use Veriff’s biometric face recognition technology.
- [2020-01-30] RIA introduced a state signing service (SiGa) to replace DigiDocService. The service allows the creation of documents digitally signed with ID card and Mobile-ID and the validation of signatures. The service is provided to all persons performing public tasks. The software used by the service is public and allows anyone to run a similar service themselves.
- [2020-01-17] UT, CybExer Technologies, NATO CCDCOE, Thinnect and Elisa Eesti will create a cyber defense environment in the simulation of critical information infrastructure protection on a cyber training ground (whatever it is).
- [2020-01-16] A draft bill initiated by MKM would require telecoms to seek state permission when introducing new hardware and software. The security of any new tech will additionally be monitored by RIA, the Internal Security Service (ISS) and the state’s foreign intelligence agency. The restrictions are likely motivated to keep 5G networks away from the Chinese company Huawei, which is suspected of being controlled by the communist Chinese government.
- [2020-01-15] Estonian-based web security company WebARX found a critical vulnerability in the popular WordPress plugin InfiniteWP Client and WP Time Capsule.
- [2020-01-14] Cybernetica will create an automated threat information system between the US Air Force and the Estonian Defense Forces. The US-Estonian cyber-security alert information exchange system will cost €3.54 million. The contract was granted to Cybernetica without competition.
- [2020-01-14] In 2019, PPA instituted 12 disciplinary proceedings due to police officers making non-work related inquiries to the police information system. The police officer who made 35 queries was fired.
- [2020-01-10] Due to technical issues at RIA, the notification service using @eesti.ee email address was disrupted between December 19 and January 7. In total 85,000 emails were not delivered in this period.
- [2020-01-10] Geenius has contacted the biggest banks in Estonia, asking whether they have enabled security features to prevent criminals using their domain names in e-mail spoofing attacks. Danske Bank, Svenska Handelsbanken, Citadele, SEB and Bigbank has introduced DMARC to prevent e-mail spoofing attacks. Swedbank is still (already for a half a year) considering implementing DMARC. In LHV’s opinion, DMARC implementation is too complicated.
- [2020-01-08] A family doctor helpline service has been opened offering personalized advice. The hotline staff will have access to a patient’s medical records if the caller grants consent authenticating with Mobile-ID or Smart-ID.
- [2020-01-07] The court denied the early release of Aleksei Vasilev, a 20-year-old student from Kingisepp convicted for finding flaws in the computer networks of Estonian state agencies on the orders of FSB. His 4-year sentence will end on November 4, 2021.
- [2020-01-04] The Minister of the Interior was asked how many cases of illegal surveillance have been investigated by authorities. According to the response, 17 cases of private surveillance were registered in 2016, 71 cases in 2017, 22 cases in 2018 and 24 cases in 2019. There was one confirmed case of illegal surveillance and covert listening in 2017.
- [2020-01-03] The database leakage of e-shop charlot.ee will be investigated by Latvian Data Protection Inspectorate, as the leaked database contained more data about clients in Latvia.
- [2020-01-03] SK ID Solutions has paid a contractual penalty to AS LHV Pank for disruptions in the functioning of the Mobile-ID service, as the maximum permitted downtime of 45 minutes was exceeded in 2019. SEB, Swedbank and Luminor refused to disclose whether they have sought contractual penalties from SK ID Solutions.
- [2020-01-01] Personnel rotation in RIA. In December, Andrus Kaarelson, Deputy Director General of the State Information System Branch at the RIA has left RIA returning to work in the private sector. Margus Arm, previously the head of the Electronic Identity Department has been appointed Deputy Director General of the State Information System Branch. The new head of RIA’s Electronic Identification Department is now Mark Erlich. In December, Lauri Aasmann took over as the new RIA Deputy Director General for Cybersecurity. Aasmann came to RIA from the NATO CCD COE, where he led a team of lawyers. Previously, he worked as a lawyer at Swedbank AS and as a prosecutor at the Northern District Prosecutor’s Office and Tallinn Prosecutor’s Office, where he dealt with white-collar crime and cybercrime.
- [2019-12-31] A software engineer found a flaw in the Elisa home router which gives access to the management password and access to the router over SSH. Elisa claims that this flaw can only be used by clients themselves, but cannot be used to access other client’s devices.
- [2019-12-28] Märt Põder gave the presentation “DEBRIEF ON E-VOTING IN ESTONIA” at the 36th Chaos Communication Congress (36C3), explaining his view on the i-voting in Estonia.
- [2019-12-23] A fraud case involving fake tara deposit checks caused €12,925 in damages. The fake checks were printed with a cashier printer on the same paper as the real checks. The criminals understood the composition of the bar code and configured the printer so that the printout would deceive the Maxima checkout system that prevents the use of a copy of a check receipt. It turned out that the checks were printed by IT specialist from the company that serviced tara vending machines at Maxima stores. The criminals were tracked down using CCTV footage that is stored by the store for 30 days.
- [2019-12-23] The Supreme Court expressed its position in the case where a woman gave her ID card and PIN codes voluntarily to a man who ordered some merchandise in her name from Telia e-shop using ID card authentication. The case has been sent back to district court. According to the Supreme Court, in case the owner voluntarily gives his ID card with PIN codes to another person who uses the ID card to enter into a transaction, the transaction (or digital signature) may be valid based on the provisions of “entry into transaction through representative” (General Part of the Civil Code Act – GPoCCA – Chapter 8). As the court referenced GPoCCA § 131, this construction can still be attacked and the signed contract later annulled.
- [2019-12-21] MyHits radio uploaded, on Google Docs, a publicly available document containing names, phone numbers and email addresses of all participants in their prize game. The link was embedded in the source code of the prize game website. The subjects and Data Protection Inspectorate have been informed.
- [2019-12-20] A group of Estonians used blank chip and PIN cards containing stolen credit card data to empty bank accounts of Indian, Bangladeshi and Pakistani victims. The criminals also attempted to order 17 phones in total from Klick using a Japanese credit card, but were reported to the police.
- [2019-12-19] The Supreme Court of Estonia ruled that the bill expanding EDF surveillance rights is unconstitutional. The court said that the covert collection and processing of personal data may be necessary for the effective defense of domestic and external peace, however, legislation should establish efficient procedural guarantees similar to those set out in the Code of Criminal Procedure, in order to eliminate the possibility of the person against whom surveillance is conducted not being informed of the EDF having processed their data.
- [2019-12-18] A secret camera was found at a metal company AKG Loots. The high-tech camera was installed under the ceiling of the production workshop and was in constant communication. Industrial espionage is suspected, as the company has several international clients with classified contracts.
- [2019-12-17] From 2020 PPA will introduce a 5 EUR fee for obtaining a new ID card PIN envelope.
- [2019-12-16] Mobile-ID was down for two hours.
- [2019-12-14] A Viljandi hospital patient learned that a hospital nurse had viewed her health information and shared it in Facebook messages with her friend. The nurse has been fined for data breach.
- [2019-12-12] The i-voting workgroup published the full report with 25 proposals to improve the i-voting system enhancing credibility and managing risks. In the IT Minister’s opinion, several important directions have been outlined and following working groups should be set up to go deeper into the more specific topics. In Märt Põder’s opinion, the report is a failure as the verifiability(?) issue has not been addressed.
- [2019-12-12] Florian Hartleb wrote an article “e-Estonia. Europe´s Silicon Valley or a new 1984?”. The article mentions X-Road, personal ID code, DDoS attacks in 2007, Infineon ID card crisis in 2017 and data embassy project. Contrary to the title, the privacy aspects are not discussed in depth.
- [2019-12-06] Former Minister of Rural Affairs Mart Järvik claimed that he had detected “bugs” in his office in one section of the ceiling. He tried two eavesdropping detection devices borrowed from his friends. Later, according to an unnamed source, the detected device turned out to be a device for amplifying Wi-Fi signals.
- [2019-12-05] A cryptographer from the Republic of Senegal published a subtle attack against the Smart-ID clone detection mechanism described in the original Smart-ID paper. The flaw allows an attacker who has cloned a victim’s Smart-ID app instance to forge signatures before the victim has used his instance, such that when the victim uses his Smart-ID instance, the attacker’s clone which was used to forge signatures is not detected by the server. The flaw lies in the fact that according to the protocol description, the next expected request ID is set by the client and not the server, which means that after the attack the attacker can reset the next request ID to match the request ID stored in the victims Smart-ID instance, thereby leading to the victim’s next request to be accepted by the Smart-ID server. SK has responded that the actual Smart-ID implementation uses an updated clone detection mechanism which is not affected by this flaw.
- [2019-12-03] Toomas Vaks, former RIA Deputy Director General for Cybersecurity, wrote an opinion piece about cyber risks.
- [2019-12-02] Agu Kivimägi wrote his thoughts about the recently highlighted issue that the time of signing of a digitally signed file can be changed.
- [2019-12-02] SEB has made an update to its Android mobile app, which now allows SEB customers to make payments by touching a payment terminal with their mobile phone. The app can be used to pay for mobile purchases up to €150 if NFC has been enabled on the phone.
- [2019-11-29] Phishing attacks against Smart-ID users have advanced. Now attackers are performing active attacks and displaying to victims the correct Smart-ID verification code. The usual defense of comparing verification codes does not work anymore. Now the only defense is to verify that the authentication is performed in the expected web site.
- [2019-11-29] CERT-EE warned about scam emails sent in the name of SEB bank. A victim from Tartu lost €4,777 in the scam. Security specialists have pointed out that SEB is endangering their clients by not configuring SPF+DMARC to prevent email spoofing using seb.ee domain.
- [2019-11-27] Registration of marriage is one of the few things that cannot be concluded digitally. The state is now analyzing the possibility of making marriage registration easier and partly accessible through the state portal eesti.ee.
- [2019-11-26] People sent letters to the Ministry of Justice and the Chancellor of Justice expressing their dissatisfaction with the fact that the real estate owned by them can be searched in the electronic land register by anyone. The land register has now been modified such that only an authenticated user would be able to search for real estate by name or personal identification code leaving an audit trail.
- [2019-11-20] A communication channel has been set up between the police and Facebook, allowing police officers to access Facebook account holders’ information in minutes if police the estimates that there is a real risk to human life. If there is no immediate threat, the request will take longer, sometimes a couple of days. In 2019, PPA asked Facebook about 88 accounts, requiring quick response nine times. Account freezes have been requested for 14 accounts.
- [2019-11-20] Using a fake Facebook account, death threats were made towards Reform Party leader Kaja Kallas. According to PPA, the perpetrators are based in Sweden and therefore Kallas’ life was in no immediate danger.
- [2019-11-20] Rats seriously damaged RIA’s underground optical cable affecting the operation of eesti.ee and the services of the Health Insurance Fund. Although physical network connections are duplicated, these e-services failed to automatically move to another channel.
- [2019-10-30] The Estonian Research Council has financed the creation of a programmable USB device with a RGB LED and button, which can be programmed, for example, to emulate a keyboard and send key strokes after it is plugged into the computer. The device was given out to high school students in the Robotex event.
- [2019-09-25] The requirement for an age check when ordering alcohol online is not enforced by all e-shops. Some parcel terminals require the ID card of an adult to be inserted, but the terminal does not ask for a PIN code (which means that the process does not involve any cryptography).
- [2019-04-26] TalTech in cooperation with others have created a High School Cyber Security Selection Course Digital Textbook. The textbook contains material on various topics and includes a lot of unseen video materials.
- [2017-01-27] In Tallinn Circuit Court, defendants contested the integrity of an electronic evidence (a virtual machine image containing Skype logs), based on the fact that the integrity of the disk image was provided by calculating the hash using the outdated MD5 hash function. The defendants demonstrated a practical MD5 collision attack by showing that when opening two visually different image files the calculated MD5 hash value of the files was the same. The court correctly noted that while the MD5 function is not collision resistant, it is still second pre-image resistant guaranteeing the integrity of the collected evidence.
- [2019-11-12] RIA organized information day. The topics covered: new Mobile-ID procurement, closure of DigiDocService, authentication gateway, developments in eID field, signature service, X-Road and others. Full video recording available online (in Estonian).
- [2019-11-11] RIA decided to support with EUR 5,550 grant the association for the visually impaired as a compromise for RIA’s failure to support screen readers in DigiDoc4 client.
- [2019-11-11] Supreme Court is discussing EDF law expanding surveillance rights. Chancellor of Justice Ülle Madise has found that the amendments are constitutional, because they do not allow for the restriction of individuals’ fundamental rights any more than the legislation currently in force.
- [2019-11-11] Telia offers NFC-enabled SIM card that can be used in the phone to validate ride on public transport in Tallinn.
- [2019-11-07] SK ID Solutions annual conference was held second time in English. Presentation slides available.
- [2019-11-04] Estonia is planning a system that would collect data from hotels to alert the authorities when somebody on a watchlist checks in. Dan Bogdanov discussed how to build a totally anonymous electronic accommodation card.
- [2019-11-04] UT researchers performed interdisciplinary research studying Estonian digital signature compliance to national and EU legal requirements. The finding is that the “Signed on” time displayed by DigiDoc software cannot be trusted to establish the actual time of signing. Other finding is that due to the certificate validity suspension option, vast majority of digital signatures created as of now cannot be verified according to legal requirements.
- [2019-10-31] From next year, the Consumer Protection and Technical Surveillance Authority (TTJA) will have the rights to restrict access to e-shops and mobile apps, and will have the right to find out who are the customers of the telecom operators.
- [2019-10-28] Storm caused extensive power outage that disrupted internet connection in south of the country. Border crossing was disrupted for several hours. Better preparation for next storm needed.
- [2019-10-25] Justice ministry conducted an audit into whether judges had accessed documents in the court information system regarding cases in which they do not take part. Judges warned that such audits would undermine judges’ confidence in and willingness to use the information systems.
- [2019-10-25] Märt Põder shared a photo from IT minister’s i-voting work group and discussed the risk of i-vote selling.
- [2019-10-23] Tele2 blocked foreign phone numbers associated with massive fraudulent call wave. By contrast, Telia and Elisa are not yet blocking the numbers, claiming that intervention of a regulatory body is required.
- [2019-10-23] IT and foreign trade minister Kert Kingo submited resignation. MKM workgroups will keep working. The new IT minister is Kaimar Karu. In his view the transparency of i-voting should be improved.
- [2019-10-21] Full list of all concerns raised by the IT Minister Kingo’s i-voting working group has been published.
- [2019-10-18] The Estonian state will form a large cyber security policy council. MKM wishes to involve 32 different parties. The tasks of the council will include sharing information on sectoral developments and challenges, building situational awareness on cyber security, and addressing cyber security policies.
- [2019-10-09] Data Protection Inspectorate issued memorandom inviting public authorities to not store data on public cloud services, because the confidentiality of the data may not be guaranteed and also the access to data in case of emergency may not be provided.
- [2019-10-05] Research article by TalTech researchers: On Positive Feedback Loops in Digital Government Architecture. The case of Estonia is presented.
- [2019-10-03] The state wants to reduce the dependency on a single trust service provider and considers running their own trust service provider. Currently ID card and Mobile-ID both depend on SK ID Solutions. SK is ready for competition – Smart-ID provides them with alternative markets.
- [2019-09-30] In September, Smart-ID downtime exceeded the allowed limits due to the problems with failing hardware. This year, three Mobile ID interruptions have exceeded allowed limits.
- [2019-09-30] DigiDocService will be shut down in October 2020. Mobile-ID service will be provided over REST API similar to Smart-ID. Other services (signature and certificate validation) will not be supported.
- [2019-09-26] LHV bank decided to enable Smart-ID API call that requires their clients to choose in mobile app the correct Smart-ID verification code from the three suggested ones. The change is aimed to force their clients to compare the verification codes shown by the Smart-ID application. Unfortunately, such measure helps only against phishing attacks using static phishing pages.
- [2019-09-25] The state is looking for next generation Mobile-ID. This is partly motivated by the eIDAS requirement for expensive security certification of currently non-certified SIM card platforms.
- [2019-09-24] Software error disrupted emergency calls for 20-minute period. In total, 26 people called emergency services during the affected period but were called back later.
- [2019-09-19] Researchers discovered “Simjacker” vulnerability that exploits technology embededed on SIM cards used over the world. According to representatives of Tele2, Elisa and Telia, the SIM cards issued in Estonia do not use technology that would enable the attack.
- [2019-09-13] RIA plans to eventually remove the bank link as an authentication option in government e-services.
- [2019-09-13] RIA finished price negotiations with SK ID Solutions and have introduced Smart-ID for authentication to government e-services. RIA has assessed that Smart-ID authentication solution provides eIDAS security level “high”. Support for signing using DigiDoc client will come in the future.
- [2019-09-12] Ministry of Foreign Affairs will launch a cyber diplomacy department headed by Heli Tiirmaa-Klaar, a diplomatic representative with special powers in the field of cybersecurity.
- [2019-09-10] EuroPark has obtained the details of 6000 vehicle owners who have not paid the parking fee. Previously the court ordered Estonian Road Administration to share car owner personal data with EuroPark.
- [2019-07-09] Research article by Emin Caliskan, Risto Vaarandi, Birgy Lorenz (TalTech): Improving Learning Efficiency and Evaluation Fairness for Cyber Security Courses: A Case Study. They present a case study on the Cyber Defense Monitoring Solutions course from TalTech Cyber Security MSc program.
- [2019-09-03] OSCE assessed Estonian 2019 parliamentary elections and have produced report containing recommendations for i-voting. According to OSCE, the Election Service should develop a strategy to reduce the risk of internal attack before the next election, and should also publish third-party risk assessments, audits and other reports before the next election.
- [2019-09-03] Uku Särekanno, head of cyber security at RIA, starting October will take up duty at the European Union’s IT agency eu-LISA, where he will coordinate the deployment of new large-scale databases in the Schengen area. RIA will be looking for new Deputy Director General.
- [2019-09-03] Estonian passports will be manufactured by ID Global Solutions Limited. They will provide all the templates and equipment but PPA will print them. Currently Gemalto OY provides the service (until 2021). To mitigate the risks the state prefers to purchase ID-1 format documents and travel documents from different companies (source: Lips et al.).
- [2019-08-29] I-voting workgroup members have submitted 30 suggestions for improvements. Among them is the proposal that the number of people involved in conducting and supervising elections should increase and to raise the number of independent observers at election counts.
- [2019-08-23] MoD announced MSc thesis scholarship competition in categories: cryptography; situational awareness; accounting of defense material; planning and management of defense infrastructure; drones. The Master’s thesis scholarship competition is aimed primarily at students entering the Master’s program, but applications may also be submitted by second-year students who have not yet chosen a Master’s Thesis.
- [2019-08-15] Minister of Finance showed Director General of PPA printout with the line that the document has been digitally signed. It turned out that the document was only a draft which has not been signed. This created a discussion on whether the printout was a forgery.
- [2019-08-06] The Estonian government approved objectives to simplify processing of identity documents at foreign representations by introducing online applications and streamlining of passport deliveries by mail. Contrary to government proposal, PPA thinks that mailing documents has security risks and is currently not working on such plan.
- [2019-08-07] Microsoft Security Response Center published the list of 75 most valuable security researchers who have contributed to securing the Microsoft’s customers and the broader ecosystem this year. Estonian Jaanus Kääp is among them. He was there also last year.
- [2019-08-07] Gemalto left Estonia without paying to PPA legal expenses of litigation process.
- [2019-07-31] Visually impaired people claimed 10 000 EUR from RIA due to faulty DigiDoc4 software that did not support screen readers for nearly a year. RIA refused to pay.
- [2019-07-28] Silvia Lips, Krista Aas, Ingrid Pappel and Dirk Draheim wrote an article “Designing an Effective Long-Term Identity Management Strategy for a Mature e-State” where they analyze the process of developing identity management strategy white paper.
- [2019-07-26] Head of SK ID Solutions reported about a scam where criminals promise several thousands of euros in earnings. During a Skype call people are asked to share access to their computer. After making the connection, people are prompted to insert ID card into the computer and criminals use it to create a Smart-ID account on behalf of the person. This is quite extreme scam which is hard to prevent with technological means. Nevertheless, these scams should not be used as an excuse for the scams that rely on the poor security design choices of Mobile-ID/Smart-ID.
- [2019-07-23] IT minister to establish cybersecurity working group whose task will be to coordinate the implementation of the 2019-2022 cybersecurity strategy. This is the third strategy document for the cybersecurity and safety field that defines a longer-term vision for the sector, the objectives to be achieved, and priority courses of action, roles and responsibilities for achieving it.
- [2019-07-22] The first-ever Tallinn Summer School of Cyber Diplomacy was held in Estonia, bringing to Estonia approximately 80 diplomats, researchers and experts engaged in cyber issues.
- [2019-07-22] Cyber Security Summer School 2019 took place. This time it was organized by UT on the bockchain topic.
- [2019-07-17] Estonian Juhan Lepassaar was elected from among 80 candidates to become the next executive director of the European Union Agency for Cybersecurity (ENISA).
- [2019-07-12] Olerex had it’s customer transaction database stolen. The leak affects about 100 000 transactions concluded in the previous month and a half. It consisted mostly of business client’s names, personal identification numbers, fueling limits and other undisclosed pieces of data. The database was freely available online for a month and a half. Olerex claims that the data was downloaded only by an IT security expert who has confirmed to Olerex that the data has been deleted.
- [2019-07-10] Tartu Smart Bike Share website maintained by Bewegen Technologies had a security flaw which allowed to access personal data of registered users (contact details and usage history). Bewegen fixed the flaw in few hours and claimed that nobody except the person who reported the flaw had accessed the data.
- [2019-07-10] Smart-ID account creation using Mobile-ID has been augumented with SMS notification containing security code that has to be entered when creating Smart-ID instance. This should prevent Mobile-ID phishing attacks towards Smart-ID account creation. To date, there are 42 cases in Estonia where Smart-ID counterfeit accounts were created, in 10 cases it was actually used. Unfortunately, this does not address Mobile-ID/Smart-ID phishing attacks against other services.
- [2019-07-03] Web shop charlot.ee leaked usernames, home addresses and plaintext passwords of 14 000 users. The personal details were published as plain text documents and were easily found by googling. The manager of the company initially denied the leak, but later admitted it. So far, there have been no cases in Estonia where the Data Protection Inspectorate has fined some companies for data leakage.
- [2019-07-02] At the National Defense Council meeting it was agreed that MKM would come out by the end of the year with proposals to strengthen the country’s cryptographic and information security areas. It also gave an overview of the current status of the agreed activities following the ID-card crisis of 2017.
- [2019-06-28] Email notices sent by the state to personal_ID_code@eesti.ee (but not firstname.lastname@example.org) address will be stored on a virtual “mailbox” on eesti.ee, regardless of whether e-mail forwarding has been configured.
- [2019-06-28] ICR2019 workshop took place. Video recordings of the presentations are online.
- [2019-06-26] PPA found that due to a technical failure, for more than 15 000 automatically revoked ID cards the certificates were not revoked, which in 285 cases resulted in the ID card of the deceased person being electronically abused by other persons. The bug was discovered already in 2015, but investigated only in the begginning of 2019. Praise to the authorities for not sweeping the incident under the carpet!
- [2019-06-26] Father of i-voting Tarvi Martens made quite a strong statement saying that the i-voting system has no weaknesses and nothing depends on people or computers.
- [2019-06-22] Märt Põder wrote in his blog why he accepted invitation to take part in i-voting workgroup.
- [2019-06-21] The i-voting workgroup has been established and members have been listed. The working group is headed by MKM and includes RIA, the election service, research institutions and other experts. The task of this working group will be to analyze the security and transparency of electoral system processes and, if necessary, make suggestions for improvement. The workgroup will present its report by 12 December 2019 at the latest, which will include an assessment and proposals for system security and public awareness.
- [2019-06-19] President has rejected the amended Defence Forces Organisation Act for the second time, the Supreme Court will look into the constitutionality of the act this fall. The bill of amendments would grant the Estonian Defence Forces (EDF) the right to secretly gain access to data of the state, municipalities, and legal as well as private persons. EDF argues that this is needed to improve background checks.
- [2019-06-17] RIA is preparing to implement a new national information security standard, which will replace the ISKE reference security system, which is currently mandatory for public authorities in Estonia. In May, the public procurement process was completed and KPMG Baltics, Cybernetica and TalTech will start assembling a new information security standard. The new standard and accompanying materials should be ready by the end of next year.
- [2019-06-06] RIA had annual conference. The slides are available.
- [2019-06-04] PPA will not apply contractual sanctions against SK for Mobile-ID downtime in May.
- [2019-05-14] The report “Development and application of cryptography in the Estonian public and private sectors” commissioned by the Ministry of Defence has been released. The report prepared by Cybernetica gives an overview of the state of art in development of cryptography in Estonia, and analyzes the technological and economic potential of the field. Among recommendations is establishment of a national cryptographic competence centre and improving math and science education in Estonia.
- [2019-05-30] In the EP elections the long time i-voting observer was asked to stop filming the vote counting on the grounds that his camera is a communication device, which could leak the results of i-voting before the allowed deadline. The observer wrote formal complaint, will see the response. It is quite naive to believe that some organizational measures could prevent leaking the results if someone from the observers really wanted to do so.
- [2019-05-27] Bernhards Blumbergs (TalTech) defended his PhD thesis on “Specialized Cyber Red Team Responsive Computer Network Operations”
- [2019-05-26] In the EP elections 2019, 25.4% of voters cast their vote using i-voting method. There was a technical glitch concerning candidate data on the electoral website, which lasted for about 12 hours and meant that candidate searches did not yield a result on names which included diacritical marks.
- [2019-05-17] Mobile-ID users have experienced phishing attacks, where the victim is tricked into authorizing creation of Smart-ID instances, which then can be used by the attacker without victim’s consent. Some victims lost money, the police investigation is ongoing. In the beginning of the year, users of SEB, Swedbank and LHV bank experienced similar phishing attacks, where the victims were asked to authorize Smart-ID transactions made by the attacker. According to authorities, Mobile-ID and Smart-ID is secure, the negligent users are to be blamed.
- [2019-05-17] SK’s Mobile-ID service again experienced unexpected downtime. This time the downtime was for more than 24 hours. Due to downtime EMTA decided to extended deadline for submitting declarations. PPA is considering imposing some contractual fines against SK. The contract is confidential and it is not known how much the state pays to SK and what is the benefit for the state to be formally involved in the “issuance” of Mobile-IDs.
- [2019-05-13] The new IT minister announced that there are plans to conduct an analysis of the i-voting system and independent international audit to make sure that the process of i-voting is transparent and ultimately verifiable. The previous IT minister, who resigned shortly after being appointed, stated that coalition considers ending i-voting if it does not resist “the toughest tests”.
- [2019-05-09] RIA and MoD is offering 1.1 million to study: “Simulation of Critical Information Infrastructure Protection in the Cyberspace”. The purpose is to develop a virtual environment in which to simulate situations in the area of vital critical information infrastructure.
- [2019-04-23] Estonian Foreign Intelligence Service has published job ad looking for Microsoft administrator and IT support personnel. It is not common for intelligence agencies to publish job advertisements.
- [2019-04-03] Baltic Security and Security Summit took place. Among the Estonian speakers were Liisa Past and Uko Valtenberg.
- [2019-04-01] RIA released “Annual Cyber Security Assessment 2019”. Among other things it includes interview with Dominique Unruh (UT) about post-quantum cryptography.
- [2019-04-01] In the “Annual Cyber Security Assessment 2019” RIA disclosed details about the vulnerability in eesti.ee authentication system discovered in June 29, 2018. Turns out that bank link implementation on eesti.ee side did not verify signature, which allowed the attacker to bypass authentication. According to RIA, they checked logs and did not find evidence of the flaw being exploited. It is not said whether the logs actually contained full parameters to retrospectively verify the signatures.
- [2019-04-01] RIA plans to expand i-voting system to referendums and other types of elections.
- [2019-03-22] Ministry of Interior published code of conduct for crisis situations, among other things, recommending to be prepared for disruptions in e-services, including the ID card, Mobile-ID, and other means of authentication.
- [2019-03-22] Margus Noormaa was appointed as the new Director General of RIA by Minister of Economic Affairs and Communications (MKM).
- [2019-03-22] From the leaked password dumps journalists found at least 356 passwords belonging to people working in the public sector.
Head of CERT-EE claims that the cyber hygiene of state officials has improved in the recent years.
- [2019-03-20] Mihkel Solvak (UT) gave presentation “Anonymized i-voting log data: how can it be used or abused to understand voter behavior?” (time: 1:15:07).
- [2019-03-14] Authorities plan to perform security analysis to decide whether to implement i-voting with mobile phones starting 2021.
- [2019-03-13] Aivo Kalu (Cybernetica AS) gave presentation on SplitKey technology used by Smart-ID solution.
- [2019-03-13] Cybernetica released now cryptography study commissioned by RIA. This time the focus is on post-quantum cryptography.
- [2019-03-07] Estonian pet register used 15-digit chip identifier which was not random. This allowed to download data about thousands of dogs and cats and their owners.
- [2019-03-07] President refused to promulgate the new law that would grant the Estonian Defence Forces (EDF) the right to secretly gain access to data of the state, legal as well as private persons, clandestinely follow individuals, and carry out other surveillance activities against persons.
- [2019-03-05] CERT-EE warned about malware emails originating from @swedbank.ee domain. Part of the blame, however, must be taken by Swedbank, because it has not enabled DKIM email authentication for swedbank.ee domain.
- [2019-03-02] In Riigikogu elections 2019, 43.8% of voters cast their vote using i-voting method. One antivirus software considered the i-voting application a virus. There were many appeals. Two appeals related to i-voting procedure reached Supreme Court, but were rejected. However, the Supreme Court found that the rules in place for identifying, counting and mixing up the votes, as well as signing the results, should be clarified in regulatory acts.
- [2019-03-01] RIA is planning public procurement for developing Estonian information security standard.
- [2019-02-28] Starting from March, SEB and Swedbank will stop providing ID card support services. PIN code replacement will be possible only in PPA customer service points.
- [2019-02-28] Data Protection Inspectorate ordered to close down website of math exercises for minors, because no data protection conditions were published and processing of personal data for persons under age 13 was done without consent of the parents.
- [2019-02-25] Estonian social network rate.ee is storing plaintext passwords and recently a critical flaw was found which allowed to read private messages.
- [2019-02-09] Tallinn public transport ticket system, which allows passengers to pay with contactless payment cards, has no realtime communication with banking systems, debiting the amount when it gets online. As a result, it is possible to pay also with these bank cards where contactless payments have been disabled. The good news (for passengers) is that debiting payments for these cards will fail. To fight against free-riders, such payment cards after their use will get blacklisted by ticketing system terminals.
- [2019-02-07] Apparently in Estonia the information what property a person owns is a public information.
- [2019-02-07] Estonian Foreign Intelligence Service released annual report describing cyber threats on page 52. No crypto puzzle this year.
- [2019-02-04] Former State Prosecutor Steven-Hristo Evestus will continue his career in the cybersecurity company CybExer Technologies. CyberExer has already hired top personnel from NATO CCDCOE, CERT-EE, SK, and others.
- [2019-01-31] All three major Estonian banks: SEB, Swedbank and LHV have joined the flash payment system today, which means that up to 95% of payments within Estonia will reach the recipient in just a few moments.
- [2019-01-31] The court has ordered PPA to take down video showing detention of crime suspect. The court found that even though the important details that would allow the person to be identified were blurred, the person had become identifiable by means of additional information available.
- [2019-01-30] On January 17, data leak with 280 000 email addresses and passwords containing Estonian domains (.ee) was published.
- [2019-01-28] From 1st to 5th July 2019, the annual Cyber Security Summer School will take place. The focus this year will be on blockchain technologies and its impact on digital transformation.
- [2019-01-28] The 5th Interdisciplinary Cyber Research (ICR) Conference 2019 will take place on 29th of June 2019. Deadline for abstracts is 15 April 2019.
- [2019-01-25] Card payments rise as ATM withdrawals fall. In Estonia around €1.50 are spent by card for every €1 withdrawn.
- [2019-01-23] Martin Paljak found that the entire electronic functionality of new Estonian ID card can be used also over the contactless interface. To establish the connection only the CAN code printed on the ID card must be known.
- [2019-01-21] Geenius raised attention to a registration form in school’s website, which was not served over a secure connection. Good to see that non-TLS forms are not anymore accepted as a norm.
- [2019-01-16] Court decided that private company “Europark Estonia” has the right to obtain personal data of car owners from traffic register maintained by Road Administration. Road Administration decided not to appeal the decision.
- [2019-01-14] The use of Smart-ID in state services is behind price negotiations, Smart-ID being twice expensive than Mobile-ID.
- [2019-01-12] From February three major banks SEB, Swedbank and Coop Bank will discontinue code cards, Smart-ID being the most popular tool for authentication.
- [2019-01-11] MKM issued regulation specifying requirements for Trust Service Providers who provide certification services for certificates included in Estonian identity documents. According to the regulation, OCSP certificate validity service is currently recognized as vital service, while time-stamping and Mobile-ID service is not.
- [2019-01-10] Scientific study of Estonian X-Road usage log patterns suggests that e-governance adoption is linear.
- [2018-12-27] RIA released white paper “Identity Management and Identity Documents 1.0”
- [2018-10-23] Bank of Estonia has published interesting statistics about bank card fraud in 2016. The majority – 76% of fraudulent transactions are related to e-shopping on the Internet, 18% using payment terminals and only 6% using ATMs.
- [2018-12-21] Estonian criminal police has once again published job advertisement that requires to solve some puzzle. This time there is a cryptic MySQL database published.
- [2018-12-20] Martin Paljak discovered that PIN envelopes for the new generation Estonian ID cards (issued by IDEMIA) have a security flaw which allows to see through the envelope with flashlight.
- [2018-12-19] Due to some human error, several confidential contracts were available publicly on the Ministry of the Environment file management system.
- [2018-12-12] RIA has announced EUR 315k procurement to create SIGa (Signature and Signature Validation Service) which will enable public authorities to add digital signature support to their e-services with minimal development costs. RIA has already created a federated authentication system (supports ID card, Mobile-ID and bank link authentication) which can be used by the public sector.
- [2018-12-04] Cryptography professor Dominique Unruh (UT) has been awarded a 1.7 million grant by ERC to develop quantum cryptography solutions and their computer-based control methods.
- [2018-12-03] The new generation ID cards are being issued by IDEMIA. The cards have color photo and new physical security features. Contact-less interface is disabled by default – requires security analysis before enabling. New cards uses different API (IAS ECC standard), therefore software has to be updated. In the new specification the “Card Management Key” has been renamed to “Police Key”. This has raised suspicion about possible backdoor key in the ID card.
- [2018-11-28] Estonian Defence Forces Cyber Command (military unit performing also offensive cyber operations) is hiring. The competitive advantage for work in Cyber Command is that people are given quite free hands (because there is no money to be made) and access to exclusive weapon systems not seen in the private sector. The unit has been assembled from the existing staff and communications battalion. The primary recruitment point is the conscripts.
- [2018-11-28] The head of the Institute of Estonian Academy of Security Sciences (SKA) wants to hold a debate about making the state’s work easier by allowing it to analyze masses of cell phone data. There is an opinion that the state is already using far more cell phone data than is admissible for ensuring privacy.
- [2018-11-09] RIA’s Director General Taimar Peterkop has been appointed by the Prime Minister Jüri Ratas as Secretary of State. Peterkop played a key role in solving the 2017 ID card crisis. New head of RIA is to be appointed.
- [2018-11-08] Smart-ID solution has been certified by German TUViT as a qualified signature creation device (SSCD), hence Smart-ID signatures now are legally equivalent to handwritten signature. From service provider’s perspective, however, the transaction cost for Smart-ID is double the cost of Mobile-ID. Smart-ID still cannot be used for I-voting, because currently the law requires electronic voter identification using a document issued by the Estonian state.
- [2018-11-07] Estonians working in airports and airplanes must fill out a ten-page KAPO form, which requires them to specify, among other things, the names of Facebook, Twitter, Instagram and other social accounts, all telephone numbers, and even the current place of residence and contact details of “previous spouse or person similar to marriage”. It is estimated that up to 3,000 people may be subject to a such background check required by the Minister of the Interior from October 30.
- [2018-11-07] Personal identification code for the woman was updated due to the change of date of birth. The state information systems were not ready for such change. Around 300 persons will get new personal identification code because of updated date of birth.
- [2018-11-06] PPA submitted one more claim against Gemalto asking 300k EUR for not informing PPA about the ID card ROCA vulnerability.
- [2018-11-06] RIA plans to create few 2-3 minutes long educational videos showing how cyber attacks happen.
- [2018-11-06] Criminals took over transaction partners’ email accounts and phished out from Estonian company 80k EUR.
- [2018-10-31] Owners of 3-year valid digital ID cards can remotely extend their Digi-ID validity to 5 years.
- [2018-10-25] Gemalto has submitted counter-claim against PPA for PPA being in bad faith (whatever it means) in the compromise negotiations in September.
- [2018-10-19] CERT.LV organized international cybersecurity conference “Cyberchess 2018”. Webapp pentester from Estonia Silvia Väli (Clarified Security) talked about the vulnerabilities she found in the Electron framework.
- [2018-10-18] SilverTicket system had a flaw which allowed to buy tickets without paying for them. The user had to simply access the return URL visible in the bank link request.
- [2018-10-15] Due to unknown error, for years sensitive personal data of children was publicly available in the Estonian Schools Information System (EKIS) document register.
- [2018-10-10] Interview in jail with Russian student Aleksei Vasilev accused of penetrating state systems on the orders of FSB. According to him, he wrote a code to access the internal wireless network of an unnamed state agency. He is disappointed that Russian authorities show no interest to help him in his situation.
- [2018-10-10] In the Riigikogu scientific policy conference Professor of Information Security Ahto Buldas (TalTech) in his presentation “E-government base-technologies as a secure protector” stated that current e-government information systems have not been built with the knowledge of engineering based on scientific worldview and attack resistance of systems and components has not been measured. He invited the state to cooperate with universities.
- [2018-10-05] Starting from November it is possible to buy tickets in Tallinn public transport using contact-less bank cards.
- [2018-10-01] Estonian police is using license plate recognition cameras on the Estonian roads (scale not known). Large part of cameras used by police have known security vulnerabilities.
- [2018-09-27] Police (PPA) sued Gemalto claiming 152 million for generating keys outside Estonian ID card.
- [2018-09-21] Last year Estonian security authorities eavesdropped on a total of 4,596 calls made in Telia’s network. This is ten times that of Sweden (taking into account countries’ population). Judges sign off on an average of 90% of the wiretap requests. Of all wiretaps 30% concern drug crime investigations, and another 30% suspected corruption cases. Number of wiretaps has stayed the same in recent years. For the purpose of counterintelligence the Office of the Prosecutor General does not need to suspect someone of having committed a crime to order a wiretap. Frequently the information obtained is in turn used to open actual criminal proceedings against individuals.
- [2018-09-20] Professor of eGovernment Robert Krimmer (TalTech) calculated price for voting, i-vote being the cheapest (2.32 EUR) compared to voting on election day (4.37 EUR).
- [2018-09-19] eID Forum 2018 was held on 19-20 September. ID card 2017 crisis was among the discussed topics.
- [2018-09-18] In the context of upcoming elections, RIA will provide personalized cybersecurity counseling to political parties and will pentest their websites. RIA has also significantly contributed to the ENISA handbook on election security “Compendium on Cyber Security of Election Technology”.
- [2018-09-17] Cybernetica AS and TalTech organizes Second Workshop on the Protection of Long-Lived Systems (17-18 September, Pärnu, Estonia).
- [2018-09-12] Draft regulation has been prepared for allowing the face recognition robots to identify people who apply for Mobile-ID. The purpose is to enable enrollment for Mobile-ID without the need to confirm the application using the ID-card. It would be necessary to visit the PPA only if identification by robot fails.
- [2018-09-07] Cybernetica AS won the defense ministry’s procurement to prepare study to identify opportunities in the Estonian economy in the field of cryptography and to develop concrete proposals to enable the development of the field at national level.
- [2018-09-06] Apparently Gemalto leaked to local journalists some internal presentation trying to convince the public that Gemalto informed the Estonian state about the ID card vulnerability (ROCA) already in June 15, 2017. In the response PPA concluded that Gemalto is not interested in compromise and will settle the dispute in court.
- [2018-09-05] Märt Põder in Civic Tech Stockholm #2 explains Estonian I-voting.
- [2018-09-04] Article “Key Factors in Coping with Large-scale Security Vulnerabilities in the eID Field” by Silvia Lips, Ingrid Pappel, Valentyna Tsap, Dirk Draheim. Describes few positive and negative effects of the vulnerability and key factors that helped to cope with the Estonian ID-card crisis 2017.
- [2018-09-04] Heli Tiirmaa-Klaar has been appointed cybersecurity ambassador (Ambassador at Large for Cyber Diplomacy), being responsible for developing Estonia’s foreign policy on cyber security, ensuring its coordinated implementation, representing Estonia in international organisations and contributing to international cooperation in the field.
- [2018-09-01] Jaak Tarien takes over as director of NATO CCDCOE. The current director Merle Maigre will go to work for CybExer Technologies.
- [2018-08-31] Significant DDoS attack by unknown actors for half an hour hit news portals owned by Express Group (Delfi, EPL, Eesti Ekspress, Õhtuleht) and PPA website.
- [2018-08-08] There are ideas for the next generation ID card to replace PIN-based cardholder verification with fingerprint verification.
- [2018-08-06] Tele2 could not provide roaming service for its customers due to faulty software update by Comfone. The failure lasted for several hours. As a compensation Tele2 will cancel the monthly bill for the affected customers.
- [2018-07-22] Card payments and ATMs for two hours were down on Sunday due to malfunction on Nets Estonia side.
- [2018-07-06] Smart-ID is soon to be certified as qualified signature creation device (QSCD). This will require change from 4096-bit to 6144-bit RSA keys (providing 3072-bit RSA security).