Experts fault Kenya’s cyber security after 18-month test

Kenya’s cyber security remains among the weakest in the world despite the central role technology has assumed in the country’s economy, experts warned on Thursday.

Millions of mobile phone subscribers and internet users remain exposed to snooping and data interception because the service providers are using outdated network security software, industry regulators were told.

Tyrus Muya, an information security expert at Euclid Consultancy, said that an 18-month test on the security of consumers using the four telecommunication networks had produced unsatisfactory results.

The consultant said he had managed to intercept voice traffic and obtain temporary secret keys for some subscribers, revealing the high level exposure. 

Mr Muya said all the four telecommunication service providers Essar, Airtel, Telkom and Safaricom are using old technology to encrypt information, making them susceptible to attacks.

The older technologies, A5/1 and A5/2, attracted global attention mid this year when a German cryptographer, Karsten Nohl, revealed that he was able to manipulate mobile handsets into granting access to device location, SMS functions and allow changes to voicemail number.

Telkom Kenya on Thursday said it had started migration to a safer platform.

Kenya’s four telecoms operators have a combined subscriber base of 30 million.

Digital security has become even more critical in the recent past because more than two thirds of the 30 million subscribers use mobile money transfer services or mobile banking that require high level security.

“Our survey has so far revealed that anyone with basic knowledge of encryption and GSM technology together with an investment of a Universal Software Radio Peripheral can gain access and listen to the voice communication from the four operators,” said Mr Muya, at an Information Security and Public Infrastructure forum, organized by ICT Authority.

The authority said the tests are meant to inform policy on regulation that will ensure the take the matter network security more seriously.

Mr Muya is among the growing number of local information security experts who are skilled in penetration testing on IT systems such as servers.

The tests are meant to determine vulnerability of such systems with the aim of sharing the acquired information with the affected parties or government agencies for purposes of policy formulation.  

The tests come at as ICT Authority and industry regulator the Communication Commission of Kenya (CCK) are working on an online identity and verification system popularly known as Public Key Infrastructure (PKI) that will give each user a unique online identity (digital certificate) they must apply whenever they take part in online transactions.

READ: Kenya to introduce digital signatures for online services

Evans Kahuthu, Information Security project manager at ICT Authority said that while the authority had not commissioned, Euclid, the findings from the research shows how vulnerable the entire country is.

“Every Kenyan has a right to know who they are transacting business with online and the only way to ensure this is to identify everyone. Most users have to struggle with trade-off between convenience and security and that is why PKI is crucial at this time,” said Mr Kahuthu.

The need for secure platform is also in line with global trends where most of its services such as government documents, e-commerce, e-banking, e-procurement and e-bidding are going digital.

Introduction of the PKI next year will require interested individuals to apply for a digital certificate using their name and ID number and later called in for a face-to-face authentication process by the Accredited Certificate Authority.