Major security flaws found in integral part of Israel's biometric ID system

Israel is expected to roll out its new biometric database and smart ID cards in the coming weeks, but a critical component of that plan suffers from faulty security, Justice Ministry documents that were leaked by mistake Sunday and published online reveal.

The documents, first made public on a Channel 10 program about  the Internet, expose email correspondence and information about security checks for part of the biometric project meant to authenticate electronic ID cards.

As part of the project, a national certificate authority will issue electronic ID cards and verify their security. The government says the project is part of a larger initiative that would improve its connection with the people. 

The biometric database would ultimately be managed by the Population and Immigration Authority.

The leaked documents reveal a number of shortcomings. 

The Justice Ministry's Israeli Law, Information and Technology Authority – which helps with personal data protection – was able to breach part of the biometric system’s security, as was information security firm Comsec.

Comsec revealed that the certificate authority aspect is not protected by antivirus software, does not have warning systems and does not keep a log of firewall incidents. In addition, requests for new IDs from the Interior Ministry to the certificate authority are transferred via an insecure system.

One of the leaked documents is a letter from attorney Rivka Dvash, acting head of the Israeli Law, Information and Technology Authority – ILITA. Dvash writes that Yogev Shamni, the chief information officer at the Population and Immigration Authority, told her the system has been checked and is reasonably secure, but that ILITA was barred from seeing the data.

Dvash added that taking into consideration the partial information ILITA has received, in addition to an opinion from an ILITA security consultant, she cannot be sure the system is ready to withstand security violations.

Meanwhile, Doron Ofek, a data security specialist, told that it is not the biometric data that is at risk, but the so-called digital certificate that citizens use for identification when seeking government services. "Problems in securing this network create security problems in the entire network of biometric certificate registration," he said.

For its part, the Justice Ministry said the deficiencies ILITA points out are being discussed with the relevant parties. It said this discussion is in its early stages and that the leaked documents include initial and raw data. It said the new system will be tested according to the strictest standards during its pilot stage.

The ministry added that a document was accidentally emailed to a larger distribution group than intended. Director General Guy Rotkopf has instructed the ministry’s security officer to look into the incident.

The Population and Immigration Authority said ILITA is one of the agencies it must consult on the matter, but that other information-security experts are also being consulted. It noted that the ILITA document does not relate to the biometric data found in the biometric ID card but rather to electronic verification data used for identification purposes on the e-government portal.