Safaricom fixes router flaw that allow customers entry residence fibre without cost

Safaricom has mounted a long-standing technical loophole in its Dwelling Fibre community that allowed hundreds of shoppers to entry web service without cost or at a closely discounted charge. The problem dates again to a minimum of 2018 and was solely totally resolved in 2024.

The flaw, which insiders say price the corporate tens of hundreds of thousands of shillings in misplaced income, uncovered important weaknesses in Safaricom’s broadband infrastructure when the telco was increasing quickly. It additionally raises questions on inside controls, particularly as Safaricom cements its dominance in Kenya’s mounted web market.

The loophole stemmed from weak router authentication protocols on Safaricom’s mounted broadband community, two engineers conversant in the matter advised TechCabal. The system used Level-to-Level Protocol over Ethernet (PPPoE), which required each a username and a password. However whereas usernames have been distinctive to every consumer, a single, generic password was accepted throughout the board.

“Individuals would typically use somebody’s account quantity because the username and apply the overall password,” stated one of many engineers who spoke on situation of anonymity.

Safaricom didn’t reply to a request for remark.

The workaround was quietly exploited by customers and, in some circumstances, aided by Safaricom’s outsourced gross sales brokers. When a subscription lapsed, prospects might pay brokers—generally as little as KES 1,000 ($8)—to reset the router and enter new credentials. This may restore service with none official fee to Safaricom, bypassing the complete month-to-month costs that sometimes vary between KES 2,999 ($23) and KES 20,000 ($155).

“It grew to become frequent in sure areas,” one other engineer added. “The router can be reset, and somebody with entry to credentials would get the shopper again on-line with out Safaricom ever getting paid.”

As a result of the system solely allowed one session per account, this workaround labored finest with unused or expired accounts, a lot of which have been hijacked with out the information of authentic customers. In different circumstances, customers have been knowingly complicit within the scheme. Internally, the Safaricom fibre staff knew concerning the abuse, however the vulnerability proved troublesome to resolve shortly. Elements of the system relied on legacy infrastructure from the telco’s early fibre deployment days, and fixes would have required deep adjustments throughout the community backend. 

“This wasn’t one thing you would patch with one replace,” stated the engineer.

The problem continued for years as Safaricom quickly scaled its mounted broadband enterprise, including hundreds of latest connections month-to-month. However by 2024, Safaricom carried out long-overdue adjustments: distinctive, advanced passwords have been enforced for each account, and session restrictions have been tightened to make sure that no multiple connection per account might be lively at a time. It 

“If one have been to someway pay money for the username and password, they’d nonetheless not be capable to use it as just one session is allowed,” the engineer stated. 

Whereas Safaricom has not disclosed the precise income loss, inside estimates counsel that the loophole price the corporate tens of hundreds of thousands of Kenyan shillings—in all probability extra, over a number of years. Insiders say the losses might have been far higher had the vulnerability not been quietly managed and ultimately resolved.

In accordance with the newest regulator knowledge, Safaricom controls 36.5% of Kenya’s mounted web market and serves 678,118 prospects, making it the nation’s largest web service supplier.

Mark your calendars! Moonshot by TechCabal is again in Lagos on October 15–16! Be a part of Africa’s prime founders, creatives & tech leaders for two days of keynotes, mixers & future-forward concepts. Early fowl tickets now 20% off—don’t snooze! moonshot.techcabal.com