IoT in Africa: Urgent Regulation Required
By: Tomslin Samme-Nlar
Globally, people are connecting more and more “things” to the Internet. Devices that were traditionally offline or dumb like refrigerators, cars, watches, home cameras, air condition, door locks, agriculture monitoring devices, etcetera, are now being connected to the Internet. This is referred to as the “Internet of Things” (IoT). Using sensors, IoT devices collect data of some sort, which is then most likely shared over a network connection to a service provider, where some analysis is performed on the data. The analysis could then be used to make informed decisions or drive certain actions to be taken.
Africa has not been left behind by this trend of connecting things to the Internet and there some very interesting and innovative use cases of IoT on the continent. For example, IoT is used in protecting endangered Black Rhinoceros in Eastern and Central Africa from poachers, using a chip in the Rhino’s horn. In agriculture, it is used to connect remote smallholder farmers to markets. Both small and large farms also use IoT for water management, disease control and efficient fertilizer and resource use. In South Africa, IoT is used to measure energy usage by using smart meters. These examples show how important IoT technologies are to the growth of the African economy, considering the many challenges the continent is facing. Other potential useful IoT solutions for Africa are remote local weather stations for small local farmers to better and accurately determine weather conditions and changes for better crop yield, and proactively detecting and preventing infectious diseases. The latter is could be particularly useful since the healthcare system is lacking, and unable to handle disease outbreaks.
Unfortunately, the Internet of Things could potentially erode trust on connected things, and with the potential to cause harm to both persons and to the economy, if millions of IoT devices as designed today, are rolled out on the continent. IoT devices are largely being designed without security in mind. Many are sold with well-known default passwords, no ability of their firmware to be updated after they are sold and with no encryption by design.
Though it is improving, African states have in the past had challenges with developing cybersecurity legal frameworks to fight cybercrime and govern Information and Communication Technology (ICT) critical infrastructure, so computers and networks generally have very weak security practices on the continent. This state of affairs, coupled with the nature of IoT attacks, makes it critical for African policymakers to put in place regulations that’ll promote the sale and use of IoT devices and services that meet some basic security best practices. Africa must and should learn from past IoT incidents in other parts of the world, like the Vegas casino fish tank attack, where a vulnerability in the fish tank’s thermostat was exploited to gain access and steal data from the casino’s network, and back out the thermostat to the cloud. And also the Mirai botnet attack that knocked out popular and large websites like Twitter, SoundCloud, Spotify, and Shopify. With the Mirai attack, the adversaries took advantage of millions of IoT devices that were using default passwords to launch a massive Distributed Denial of Service (DDoS) attack on a large Domain Name System (DNS) service provider, Dyn.
African policymakers must ensure that millions of seemingly innocent devices are not used by adversaries to take down critical infrastructure that supports its fledgling digital economy. A 2016 study carried out by African Union Commission and Symantec reports that in 2015, in South Africa alone, 67% of adults reported experiencing cyber crime, which is estimated to have cost the South African economy $242 million USD. The study also noted that more than one out of every seven mobile devices in Nigeria is currently infected with mobile malware. Another more recent study carried out by Serianu estimates the cost of cybercrime in Kenya at USD 210 Million and in Nigeria at USD 649 million.
These statistics give an insight into how vulnerable Internet users on the continent are and just how exponentially the threat could increase if we were to add billions of “Things” connected to the Internet like farm sensors, smart city sensors and devices, health and fitness devices.
To realise its full potential and for IoT to contribute substantially to the African economy whilst preserving trust on the Internet, African policymakers need to implement awareness initiatives, effective policies, best practices and minimum standards for IoT devices. Some best practices that should be adopted include:
- No default passwords like the classic admin – admin username and password should be used on IoT devices. And if any IoT device is sold with a default password, the manufacturer should require the password to be changed after the first login.
- Policies that encourage stronger passwords like minimum password length, requiring the password string to have at least one uppercase letter, a number and special characters, should be enforced on IoT devices.
- Support for over-the-air updates. IoT device manufacturers should be able to update IoT firmware and software when security vulnerabilities are found.
- Encryption should be by design and at all points of the IoT ecosystem. Data on the IoT device must be encrypted, and the same applies to data in transit. When being transported to the cloud or other provider/storage. Once in the cloud/storage, the data must also be encrypted and not be accessible to unauthorized persons.
- There should be a security vulnerability disclosure policy from manufacturers and application developers.
Tomslin Samme-Nlar is a cyber security researcher and a postgraduate Cyber security, Strategy & Diplomacy candidate at Australian Defence Force Academy.
Email: firstname.lastname@example.org, Twitter: @tomsleen