Estonian ID-card ROCA crypto crisis

In autumn 2017, Estonia — whose entire e-government, banking, and voting infrastructure rests on a mandatory cryptographic ID-card — faced a state-level crisis when researchers found that the card's chip generated mathematically weak RSA keys. The flaw, dubbed ROCA (Return of Coppersmith's Attack, CVE-2017-15361), threatened to let attackers forge the digital identity of any affected cardholder.

What happened

The vulnerability lived in Infineon Technologies' RSALib library, used in the smartcard chips that Estonia (and many TPMs, passports, and tokens worldwide) relied on. Infineon's non-standard prime-generation method produced RSA moduli with a hidden structure, allowing the private key to be factored from the public key using an adaptation of Coppersmith's theorem. Because every Estonian ID-card's public key is published in a national directory, an attacker needed no physical access and no PIN — only the public key and sufficient computing power.

The flaw was discovered in February 2017 by researchers at Masaryk University (CRoCS) in the Czech Republic, who disclosed it confidentially to Infineon. Estonia's Information System Authority (RIA) was privately warned on 30 August 2017 and went public with a vague "potential risk" on 5 September 2017, deliberately withholding technical details until the coordinated disclosure on 16 October 2017.

Impact

Roughly 750,000–760,000 cards — issued since October 2014, including e-Residency cards — were affected, covering well over half of Estonia's 1.3 million population.
The cards underpin digital signatures, online banking, tax filing, prescriptions, and i-Voting, so a forged-identity scenario was an existential threat to trust in the entire e-state.
No confirmed real-world exploitation occurred, but estimates put the cost of factoring a single 2048-bit key within reach of well-resourced attackers.

Response

On 3 November 2017, the Police and Border Guard Board suspended the certificates of the affected cards. Rather than physically recall and reissue every card — as some other countries did — Estonia rolled out a remote software update that re-generated keys on-card using a different, secure method, letting most citizens fix their cards online. By April 2018, after several hundred thousand renewals, RIA declared the crisis resolved.

Why it matters

The ROCA crisis is the canonical case of a supply-chain cryptographic failure striking national critical infrastructure: a single vendor's library flaw cascaded into a constitutional-scale identity risk. Estonia's handling — transparent (if tightly sequenced) disclosure, plus remote re-keying instead of mass recall — is now studied as a model of crisis response, demonstrating that a digital state can absorb a foundational cryptographic break without collapsing public trust.

Timeline

February 1, 2017

Researchers at Masaryk University (CRoCS) discover the ROCA flaw in Infineon's RSALib RSA key generation and notify the vendor under coordinated disclosure.

August 30, 2017

Estonia's Information System Authority (RIA) is privately informed that the chip in its ID-cards generates factorable RSA keys.

September 5, 2017

Estonia publicly announces a potential security risk affecting roughly 750,000 ID-cards issued since October 2014, while details are withheld.

October 16, 2017

The ROCA vulnerability is publicly disclosed as CVE-2017-15361 by the Masaryk University team.

November 3, 2017

Estonia blocks the certificates of about 760,000 affected ID-cards; remote software-based re-keying becomes the primary fix.

April 1, 2018

RIA declares the ID-card crisis resolved after hundreds of thousands of cards are renewed or replaced.

Sources

en.wikipedia.orghttps://en.wikipedia.org/wiki/ROCA_vulnerability

ria.eehttps://ria.ee/en/news/estonia-resolves-its-id-card-crisis

valitsus.eehttps://www.valitsus.ee/en/news/estonia-will-block-certificates-760-000-id-cards-evening-3-november

e-estonia.comhttps://e-estonia.com/card-security-risk/

crocs.fi.muni.czhttps://crocs.fi.muni.cz/public/papers/rsa_ccs17

Related incidents

Vulnerability exploitContainedMay 9, 2026

765 users affected by claimed leak at Média31

On 9 May 2026, the threat actor AplaGroup claimed an intrusion into Média31, the online media-library platform of the Haute-Garonne departmental libraries (France), exposing data on roughly 765 users; the breach was confirmed on 21 May 2026.

Victim: Média31
Records: 765

Vulnerability exploitResolvedMay 2, 2024

City of Helsinki Education Division breach

An attacker exploited an unpatched vulnerability in a remote access server to breach the City of Helsinki's Education Division, exposing personal data of tens of thousands of students, guardians, and staff, plus sensitive welfare records.

Victim: City of Helsinki (Education Division)
Records: 120.0K

Vulnerability exploitResolvedAugust 8, 2023

UK Electoral Commission data breach

Chinese state-linked hackers exploited unpatched Microsoft Exchange ProxyShell flaws to dwell undetected in the UK Electoral Commission's systems for over a year, accessing electoral-register data on roughly 40 million voters.

Victim: UK Electoral Commission
Records: 40.0M

Vulnerability exploitResolvedJuly 24, 2023

Norwegian government Ivanti zero-day breach

Attackers exploited an Ivanti Endpoint Manager Mobile zero-day (CVE-2023-35078, CVSS 10.0) to breach a shared ICT platform used by 12 Norwegian government ministries, with exploitation traced back to at least April 2023.

Victim: Norwegian government (12 ministries)