Estonian Hacker Steals 300,000 Government ID Photos

Estonia’s electronic ID system was hacked last week. Again. The eastern European country is well-known for its advanced cryptographic identity card system, but it seems there are flaws in the access management design.

A suspect is in custody. They’re accused of using a botnet to scrape 286,438 citizens’ photos from KMAIS, Estonia’s ID-document database. However, there’s nothing at all to worry about, because … errr … everything’s fine, pay no attention to that man behind the curtain, nobody’s identity is under threat—or so says the country’s Information System Authority (Riigi Infosüsteemi Amet, or RIA).

Yeah, we’ve heard that before. About 10 days ago, in fact. In today’s SB Blogwatch, oleme mures privaatsuse pärast.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Doctor Qui.


What’s the craic? Helen Wright and Andrew Whyte write—“Hacker downloads close to 300,000 personal ID photos”:

Estonian citizen
A Information System Authority RIA database holding document photos was compromised. … The culprit had already obtained personal names and ID codes and was able to obtain a third component, the photos, by making individual requests.

286,438 [photos] had been downloaded en masse from 9,000 different domestic and foreign IP addresses, using a malware network and forged digital certification and taking advantage of a vulnerability. … The hacker had first obtained people’s personal identification codes and names from the public web, after which he or she was able to obtain photos by making individual requests.

Police have arrested an Estonian citizen whose computer was used to commit the theft. The questions of whether the person acted alone, what was the person’s aim, and what did the person want to do with the data remain to be clarified by a criminal investigation.

Yikes. Catalin Cimpanu adds—“A hacker downloaded 286,000 ID photos from government database”:

Exploit the vulnerability
Estonian officials said they arrested last week a local suspect who used a vulnerability to gain access to a government database and download government ID photos for 286,438 Estonians. … The suspect was arrested last week on July 23, Estonian police said.

To exploit the vulnerability, RIA said the attacker had to provide the name of an Estonian citizen, along with their correct personal identification code. … The incident was not considered severe enough to ask individuals to take new photos and change their IDs.

And Sergiu Gatlan fills in the blanks—“Estonia arrests hacker”:

Another breach
A Tallinn man was arrested a week ago … following a Cybercrime Bureau of the National Criminal Police and RIA joint investigation that started after RIA was alerted of a higher than the usual number of queries. … RIA added that the stolen information could not be used to perform notarial or financial transactions or gain access to state digital services by impersonating the impacted individuals.

All Estonian citizens who had their ID scans and personal information stolen during the incident will be notified via email by the Estonian Police and Border Guard Board. … RIA added that this incident is not connected with another breach disclosed earlier this month when the personal data of over 300,000 people was exposed on the state portal’s access rights management system.

Another one? Just 10 days ago, RIA PR was lost in translation—“Data on more than 300,000 people were available on the state portal”:

Vulnerability was disclosed
The personal data was visible to those representatives of companies who had logged in to the self-service environment. … The vulnerability was disclosed by an attentive user of the portal.

So logged-in users could see other users’ data? That doesn’t sound like a good design. systemvoltage ain’t impressed:

Zero trust
Appearance of forward-thinking and actual boots-on-the-ground situation can vary widely. Especially with governments — you might be suprised how many things are just held on stilts behind the scenes. When it comes to security, I have zero trust in the government ID programs.

Neither is this Anonymous Coward:

Poorly maintained
I thought Estonia was the world leader in electronic identification and elections. Are you telling me that it was all built on a poorly maintained LAMP stack?

But Estonia’s eID system was forward-thinking. disabled tells us more:

All European Union countries are eventually going to use electronic IDs (eID) with Smartchips that can be read by a Smart Card reader. A number of governments already use eIDs, and have elaborate databases for citizens, such as Croatia [and Estonia]. The eIDs also require a biometric picture of your face and 2 fingerprints, which are encoded into the card.

In many countries in Europe, we can use our electronic IDs to do a lot of things in everyday life that cannot be done online in the US. … It’s amazing that the United States does not have this functionality. … I guess the US passport card is the closest example, but it is useless except as identification.

So what went wrong? pisi hypothecates a theory:

Fake certificates
Mutual TLS with a smart card backed X.509 certificate is considered one of the strongest authentication systems out there. But forgetting to do actual certificate verification or doing it in some weird homegrown way or forgetting to synchronize assumptions between some TLS termination proxy and backend system … is the likely culprit here.

As the attacker forged lookalike fake certificates, I suspect either misconfigured verification or the proxy trick where at some point the reverse proxy did certificate validation that the backend relied upon but then at some point it was left for the backend system in proxy configuration and then backend system was never updated.

But why are these ID codes so insecure? As aloisklink points out, they can’t be secret:

Only the user should know
Estonia … ID cards can cryptographically sign documents/anything using a PIN that only the user should know, so even if the ID card is stolen, it still can’t be used to sign documents/messages. The problem is, the certificate (public key) purposely contains the full-name/public personal ID code, so that people can prove who (and which ID card) signed the message.

Never underestimate the possibility of an inside job. r2kordmaa doesn’t:

Obvious conclusion
Considering the script kiddie was local and was fairly quickly found and arrested, I’d say there is a pretty good chance he was also on government payroll and working on the compromised systems. If any random hacker were to attack Estonian IT systems [probably] they would be from outside Estonia.

The obvious conclusion is that there was some personal connection between the attacker and the government agencies or companies working with the IT systems in question. Considering the prompt failure and speed of getting caught, clearly it was not a competent attack, he might have even used his official credentials to get more access than an true outside agent would have had.

Meanwhile, supertrope’s beams are gonna find ya (ask your parents):

Shared secret is an oxymoron.

And Finally:

«L’intérieur est beaucoup plus grand que l’extérieur!»

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: young shanahan (cc:by)

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 615 posts and counting.See all posts by richi