Each of Spain’s DNIe ID cards has a chip containing two certificates, one for identification and one for electronic signing.
Each of Spain’s DNIe ID cards has a chip containing two certificates, one for identification and one for electronic signing.Image: Cuerpo Nacional de Polic a
When security researchers discovered last month that secure hardware made by Germany’s Infineon Technologies was not so secure after all1, it was clear that there would be major implications. There are a lot of smartcards and other devices out there with Infineon’s chips in them, and the ‘ROCA’ flaw2 in Infineon’s key pair-generation algorithm made it possible for someone to discover a target’s private key just by knowing what their public key was. Now, in an analogous situation to that recently experienced in Estonia3, Spain seems to be having a tough — and arguably more chaotic — time dealing with the implications for its national identity smartcards. Estonia’s big security flaw only affected around 760,000 cards, although Estonians genuinely use their cards for a great variety of public and private services. Against that figure, there are around 60 million identity smartcards in Spain . However, according to an El Pa s article4, Spaniards were only using theirs in 0.02 percent of public-service engagements when surveyed a few years back. Dan Cvrcek is the CEO at security firm Enigma Bridge, which was co-founded by researchers who identified the ROCA flaw.
He told ZDNet that exploitation of the flaw could allow attackers to revert or invalidate contracts that people have signed, in part because the Spanish don’t use timestamps for very important signatures. “I still don’t think you can do a large-scale attack that would target a lot of people,” Cvrcek said. However, he added, the cost of an individual attack has “rapidly decreased” . The assumption used to be that an attack cost between $20,000 and $40,000, but now it’s “realistically $2,000”. Each card, known as the DNIe, has a chip that contains two certificates, one for identification and one for electronically signing things. According to El Diario5, the authorities responded to Infineon’s October vulnerability disclosure by revoking, on November 6, all certificates issued since April 2015. What’s more, the authorities have stopped letting people sign things with the card at the self-service terminals found at many police stations.
That decision affects every card, not only those that have the flaw . However, people can still digitally sign documents online, using a small card reader that connects to their PCs. The readers are needed to update the affected cards . But there is as yet no indication of when the affected cards will be updated . Indeed, there doesn’t seem to be much official information out there at all, something which has not gone unnoticed in the Spanish tech press. “Neither the police nor other public bodies have given more information through their social media accounts about the impact of the vulnerability and how to act if affected,” said Xataka6. At least the Basque certificate authority Izenpe, which has revoked 30,000 certificates, has given information7 about how to replace them, the blog added. Amid all that chaos, it also seems that some people with recently issued DNIe cards are still able to use them, despite the supposed revocation of their certificates. “I would not mind if it continued like this until there are new certificates,” tweeted8 one user. Toomas Ilves, the former president of Estonia, said earlier this week that he believed millions of people in countries had been affected by the ROCA flaw, but their authorities were remaining “silent”.
Previous and related coverage
Estonia is built on secure state e-systems, so the world was watching when it hit a huge ID-card problem
A new security flaw has placed the security of RSA encryption in jeopardy.
- ^ not so secure after all (www.zdnet.com)
- ^ the ‘ROCA’ flaw (www.infineon.com)
- ^ experienced in Estonia (www.zdnet.com)
- ^ El Pa s article (cincodias.elpais.com)
- ^ El Diario (www.eldiario.es)
- ^ Xataka (www.xataka.com)
- ^ given information (www.izenpe.eus)
- ^ tweeted (twitter.com)
- ^ Estonia’s ID card crisis: How e-state’s poster child got into and out of trouble (www.zdnet.com)
- ^ As devastating as KRACK: New vulnerability undermines RSA encryption keys (www.zdnet.com)
The use of torture in custody and human rights violations committed in the name of security and counterterrorism will continue unabated unless Tunisia lives up to the commitments it has made today at the UN Human Rights Council in Geneva, said Amnesty International. During today s session, the outcome of the third Universal Period Review of Tunisia s human rights record was adopted . The Tunisian authorities accepted 189 recommendations on how to improve the country s human rights record, including pledging to boost accountability for abuses by security forces, eliminate torture and other ill-treatment and ensure that counterterrorism and national security measures do not jeopardize human rights.
The commitments made by Tunisia today are a step in the right direction . But the government must swiftly implement these reforms if its promises of human rights progress are to be realised, said Heba Morayef, North Africa Research Director at Amnesty International. The commitments made by Tunisia today are a step in the right direction .
But the government must swiftly implement these reforms if its promises of human rights progress are to be realised
Heba Morayef, North Africa research director at Amnesty International
Two recent proposed bills have called into question the government s commitment to accountability . Last week Tunisia s parliament approved a controversial bill granting amnesty to officials accused of corruption under former President Zine El-Abidine Ben Ali s rule. Tunisia s pledges related to security sector reforms will be seriously undermined if the government goes ahead with a bill1, known as the Repression of attacks against armed forces bill , which would grant security forces immunity from prosecution for unnecessary use of lethal force and criminalize criticism of police conduct . The bill could be reintroduced in parliament as soon as next month.
Tunisia s promises to end impunity for the security forces will be meaningless if the authorities proceed with a bill that gives the security forces protection from prosecution for human rights violations . The authorities must demonstrate they are committed to keeping the promises they have made today by scrapping this bill immediately, said Heba Morayef.
Tunisia s promises to end impunity for the security forces will be meaningless if the authorities proceed with a bill that gives the security forces protection from prosecution for human rights violations
Heba Morayef, North Africa research director at Amnesty International
For years Amnesty International has called on the Tunisian authorities to step up their efforts to reform the security sector and to stamp out impunity . Yet since the 2011, the overwhelming majority of credible allegations of torture and other serious violations by security forces have not been independently and impartially investigated, and there have been only a handful of prosecutions. Out of 248 recommendations from more than 100 countries, Tunisia has adopted 189, acknowledged 55 and deferred 4 at its UN review session today. As part of their commitments, the Tunisian authorities have agreed to ensure all allegations of torture are impartially and effectively investigated.
In its February 2017 report Abuses under Tunisia s state of emergency Amnesty International highlighted how violations including torture, arbitrary arrest and restrictions on movement have been committed in the name of national security since the fall of President Ben Ali in 2011.
Tunisia must not squander this chance to adhere to its commitments under its own constitution and international human rights law by implementing the reforms it has pledged to uphold and delivering genuine human rights progress, said Heba Morayef. During a recent meeting with Amnesty International in Tunis, Tunisia s Minister of Relations with Constitutional Authorities, Civil Society and Human Rights, Mehdi Ben Gharbia, discussed the outcome of the UN human rights review . He emphasized that the government takes recommendations relating to physical integrity very seriously and that efforts to address torture are ongoing but that it is taking time to overcome the legacy of the Ben Ali era . He added that the authorities are also working hard to end forced anal examinations which are regularly carried out on men suspected of engaging in same-sex sexual relations . Amnesty International considers that these examinations amount to torture.
In this regard Amnesty International welcomed today Tunisia s acceptance of two recommendations to immediately cease the practice of forced anal examinations and ensure the protection of LGBTQI persons from all forms of stigmatization, discrimination and violence . However the organization deeply regrets Tunisia s rejection of 14 recommendations relating the decriminalization of same-sex relations by repealing article 230 of the Penal Code. During today s session Tunisia s authorities also committed to bringing national laws in line with the country s new constitution and international human rights standards . Amnesty International is now urging the authorities to expedite the long overdue process of establishing a constitutional court and to amend the country s penal code to ensure all articles relating to freedom of expression, association, torture and the death penalty are brought in line with international law.
Disappointingly, Tunisia rejected a recommendation to end military trials of civilians, in violation of international fair trial standards. This is the country s third Universal Periodic Review by the UN Human Rights Council . Amnesty International delivered an oral statement at today s session, and ahead of it, submitted a report to the council highlighting the main human rights issues in the country as well as key recommendations.
A bill on the agenda for discussion in Tunisia s parliament today could bolster impunity for security forces by granting them immunity from prosecution for unnecessary use of lethal force as well as potentially criminalizing criticism of police conduct, said Amnesty International today. The proposed law, known as the Repression of attacks against armed forces bill, would authorize security forces to use lethal force to protect property even when it is not strictly necessary to protect life, contrary to international standards . It would exempt security forces from criminal liability in such cases if the force used is deemed necessary and proportionate . The bill was first proposed by the government to parliament in April 2015 and was reintroduced at the demand of police unions. This bill is a dangerous step towards institutionalizing impunity in Tunisia s security sector
Heba Morayef, Amnesty International s North Africa Research Director
This bill is a dangerous step towards institutionalizing impunity in Tunisia s security sector .
The fact that parliament is even considering this bill is a sign of the lack of political will on the part of the government to ensure accountability for abuses by the security services . The bill also flouts the country s own constitution which guarantees the right to life, freedom of expression and access to information, said Heba Morayef, Amnesty International s North Africa Research Director.
Tunisian security forces have been targeted in the past but giving them freer rein to use lethal force and immunity from prosecution is not the way to address this challenge . The Tunisian parliamentshould reject this bill and focus on measures to end the impunity enjoyed by the security forces. Tunisian security forces have been targeted by armed groups in a series of attacks since 2015 . Tunisia s parliamentary committee on General Legislation is due to hold a hearing today with the Minister of Interior whose ministry drafted the bill . Later in the day, the committee will also meet with the security forces unions which have been advocating1 for the adoption of the bill.
The bill allows security forces to respond with lethal force to an attack on property that does not threaten lives or risk causing serious injury . Article 18 of the bill would exempt members of the security forces from criminal liability for injuring or killing anyone , including as a result of using lethal force to protect against attacks on homes, objects or vehicles, if the force used is deemed necessary and proportionate to the danger . This is contrary to the state s obligation to respect and protect the right to life. Using lethal force solely to protect property would not be necessary and proportionate . The UN Basic Principles on the Use of Force and Firearms restrict the use of lethal force by law enforcement to situations where it is strictly necessary to protect life . These standards require that an independent authority assess whether the use of lethal force leading to a death or serious injury was necessary and proportionate.
In February 2017, Amnesty International published a report2 highlighting how violations committed by security forces in the context of the state of emergency, including torture and arbitrary arrests, are threatening the country s path to reform . No security officers have been convicted for these violations so far. In Tunisia, abuses committed in the name of security almost always go unpunished
Heba Morayef, Amnesty International s North Africa Research Director
In Tunisia, abuses committed in the name of security almost always go unpunished . This has created an atmosphere of pervasive impunity, where security forces feel that they are above the law and need not fear prosecution, said Heba Morayef.
Granting security forces legal immunity from prosecution through this bill will only embolden perpetrators of human rights violations.
In June, members of Tunisia s infamous El Gorjeni anti-terrorism brigade complained3 to the parliamentary security and defence committee about the number of allegations of torture and other ill-treatment directed towards them, describing such allegations as a form of harassment . The bill also includes vague provisions that could criminalize legitimate criticism of the security forces including for human rights abuses . Article 12 of the bill criminalizes the denigration of police and other security forces with the aim of harming public order , making it punishable with a penalty of up to two years in prison and a fine of up to 10,000 dinars. Articles 5 and 6 of the bill provide for up to 10 years in prison and a 50,000 dinar fine for those who disclose or publish national security secrets .
This is defined as any information, data and documents related to national security , an overly broad definition which could be used to imprison those revealing information about human rights violations . No protection from prosecution is provided for whistleblowers or journalists. These provisions are inconsistent with Tunisia s obligation to uphold freedom of expression and the public s right to access information under international law and according to the country s constitution.
During a review of its human rights record at the UN Human Rights Council in May, Tunisia received at least 10 recommendations4 relating to strengthening accountability for human rights violations by security forces .
By accepting these recommendations Tunisia has committed to take concrete steps to fight impunity.
It is deeply disappointing to see that this bill, which fundamentally threatens the human rights gains Tunisia has made since 2011, back on the table, said Heba Morayef.
Tunisia must abide by its commitments to uphold its human rights obligations by ensuring greater oversight of the security sector and taking concrete steps to address impunity once and for all.