Dr Bright Mawudor Gameli, Head of Information Security and Risk at Cellullant steps on stage at a cyber-security summit in Nairobi and for the next 20 minutes, pensive silence reigns over the room full of tech executives and administrators listening to his presentation.
“I can get into your system and have your device do whatever I want and you cannot do anything about it,” he explained. With the participants following keenly, Dr Mawudor types out a few lines of code and seconds later, an iPad from one of the conference participants starts playing music.
“I can raise the volume as high as I want and play whatever music I want and you cannot do anything about it short of powering the device off,” he went on to say to the now dumbfounded conference attendant.
Another demonstration reveals that there are two identical Wi-Fi networks named after the hotel. One of them however is a dummy network tied to Dr Mawudor’s phone that several conference participants have connected to.
“Those who have connected to my network have surrendered their entire digital lives to me,” he reckoned. “I can harvest all the personal information from their devices and this includes passwords to their social media networks, bank accounts if they have mobile banking apps and also passwords to access their work networks if they use their device for work email.”
In recent years, technology has grown to become universal in Kenya as more people get online with more devices creating a multiplier effect on the amount of data that both individuals and companies generate.
In the last five years, the number of licensed Internet Service Providers (ISPs) in Kenya has increased from 165 to 242. The amount of data going into Kenyan homes and businesses has equally increased from 574,704 megabites (MBs) per second in 2012 to two million megabits per second.
With the rapid adoption of smart phones and Kenyans’ fervent use of social media (Kenya is ranked 4th on both Facebook and Twitter use in Africa) and in the process the risk to attacks has greatly increased.
In addition to this, Kenya’s public service has increasingly moved to online platforms with millions of citizens now logging into government-run platforms such as e-citizen, the Integrated Financial Management Information System (IFMIS) the National Transport and Safety Authority’s Transport formation Management Systems among others public platforms.
Most of these sites have also been integrated with mobile apps that while providing convenience to consumers, introduces another layer of vulnerability that can be exploited.
In the last financial year for example, Safaricom, currently leading in the mobile data market, recorded a 74 per cent increase in mobile data volume with close to 14.9 million, 30-day active customers, utilising 21 billion MBs of data.
Usage per consumer is reported to have hit 231 MBs per month; a 44 per cent increase from the previous period. This means that our private and professional lives are today playing out online even as we continue to generate and share more information.
However, most of this data is unsecured and because of this, private and sensitive information about us and our companies is available like a trail of bread crumbs to anyone online at just a few keyboard strokes.
Today, virtually anyone with an Internet connection and a few lines of code given the right motivation can gain access to some of the country’s key power utilities and financial institutions.
The Kaspersky Live Cyber Threat Map ranks Kenya at 31st most attacked countries in the world. Checkpoint Live, another cyber threat map places Kenya at the top ten most targeted countries.
Data from the latest statistics from Kaspersky Labs indicates that in June 2017 alone, there has been an average of 10,300 attacks on Kenyan networks daily, with the figure spiking on June 6th this year to 37,305 attacks.
More than 56 per cent of these attacks involved Brute force RDP attacks, a common form of cyber-attack that involves hackers attempting to gain access through one or several of the servers in a particular network.
This form of attack targets systems running Windows remote and terminal servers; the systems that allow system administrators and technicians to log into the network remotely to conduct repairs or upgrades.
Dr Mawudor who researched the development of national cyber security awareness systems with a specific focus on Kenya for his PhD dissertation was startled by the vulnerability pervasive in the country’s networks. “Hackers continuously carry out scans on the networks looking for loopholes into the network that can help them gain access,” he explained.
This is often the software that is not updated or other sensitive information such as log in credentials and emails that are left on the company network unencrypted.
A basic scan using an open source scanning programme reveals that more than 400 ports in the country do not have any protection aside from the default “123456” or “password” –password credentials.
Some of these results returned the names of the specific companies, including government agencies, their location, who their service providers are and the kind of vulnerability that can be exploited to gain access.
“Most of these software need to be updated and patched regularly but most people do not do that on their own computers,” explained Dr Mawudor.
In a conventional cooperate setting with dozens or hundreds of devices, the points of weaknesses are multiplied several times over.
“Just five lines of code are enough to make you compromise hundreds of systems in the network when you have such a hole and often, users do not know they have been compromised,” he explained.
“Software developers in Kenya code the same way and they make the same mistakes on the mobile apps they develop,” he reckons. “Some even copy paste code without editing properly and this means they also import vulnerabilities.”
This, according to Dr Mawudor, compromises applications every two days, which means that 90 per cent of the mobile applications in Kenya are vulnerable, presenting a loophole through which hackers can get access to users bank account, verification details, including passwords and PIN numbers.
Last month, Kenya was one of the countries caught up by the global WannaCry ransomware attack with the Communication Authority, stating that more than 19 servers had been compromised. However this represents only the number of firms that had reported the incident.
Experts concur that the number is exponentially more. The government says it is aware of the exposure that Kenyan Internet users and firms expose themselves to online and is working to implement country safeguards in cyberspace.
“We have the Computer and Cyber Crimes Bill and the Data Protection Bill that are supposed to create a legislative framework for combating cybercrime,” explained ICT Board acting Chief Executive Robert Mugo.
The crucial Bills have been long in development and will now have to wait for the 12th parliament before they are enacted.
“We are also looking to spend Sh5 billion in the next three-four years on putting up safeguards around the ongoing digitisation efforts in the public sector which we believe will help facilitate acquisition of digital security hardware and software,” stated Mr Mugo.
This however, might not be enough with experts stating that Kenya needs a minimum of 10,000 cyber security engineers in the next four years to advice companies and users on the emerging threats of a rapidly digitising world. “The key to security online even before you invest in buying equipment and software is the people,” explains Dr Mawudor.
“You need to sensitise and train your employees on digital hygiene especially when using company systems and software.” Companies have also been advised to put in place resilience programmes that dictate what to do in the event of an attack.
Responses can include taking infected servers offline, switching to back up systems or temporarily switching off the main network link depending on the nature of the attack.