[AhtiK]

"The jTOP SLE78-powered ID cards were issued until the end of 2018. ID cards manufactured currently are powered by the chip platform supplied by IDEMIA (not covered in this work)."

If my memory serves me right, there was an easy way to check if your ID card was affected and it got replaced for free. The flaws described in paper are not known to exist in cards issued since the end of 2018, beginning of 2019.

[jlgaddis]

Yeah, an "offline tester" [0] was made available by the researchers who discovered ROCA [1] and a company with "close links" to the researchers created a "ROCA Vulnerability Test Suite" [2]. The Estonian government also had one on their web site [3] but it is, apparently, no longer available.

ROCA didn't just affect Estonian ID cards, though. It also affected also TPMs (from Infineon), certain Yubikeys [4], and even some PGP keys!

---

[0]: https://github.com/crocs-muni/roca

[1]: https://roca.crocs.fi.muni.cz/

[2]: https://keychest.net/roca/

[3]: http://www.id.ee/?lang=en&id=38239

[4]: https://www.yubico.com/support/security-advisories/ysa-2017-...

[chrismeller]

Yes, the Police and Border Guard has an online tool to check. They also supposedly contacted all the people with bad chips (my card was not vulnerable, so I can’t verify that).