{"id":6839,"date":"2025-07-19T21:34:17","date_gmt":"2025-07-19T21:34:17","guid":{"rendered":"https:\/\/www.newsbeep.com\/au\/6839\/"},"modified":"2025-07-19T21:34:17","modified_gmt":"2025-07-19T21:34:17","slug":"safaricom-fixes-router-flaw-that-let-users-access-home-fibre-for-free","status":"publish","type":"post","link":"https:\/\/www.newsbeep.com\/au\/6839\/","title":{"rendered":"Safaricom fixes router flaw that let users access home fibre for free"},"content":{"rendered":"<p>Safaricom has fixed a long-standing technical loophole in its <a href=\"https:\/\/internet.safaricom.co.ke\/home#packages\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Home Fibre network<\/a> that allowed thousands of customers to access internet service for free or at a heavily discounted rate. The issue dates back to at least 2018 and was only fully resolved in 2024.<\/p>\n<p>The flaw, which insiders say cost the company tens of millions of shillings in lost revenue, exposed critical weaknesses in Safaricom\u2019s broadband infrastructure when the telco was expanding rapidly. It also raises questions about internal controls, especially as Safaricom cements its dominance in Kenya\u2019s fixed internet market.<\/p>\n<p>The loophole stemmed from weak router authentication protocols on Safaricom\u2019s fixed broadband network, two engineers familiar with the matter told TechCabal. The system used Point-to-Point Protocol over Ethernet (PPPoE), which required both a username and a password. But while usernames were unique to each user, a single, generic password was accepted across the board.<\/p>\n<p>\u201cPeople would often use someone\u2019s account number as the username and apply the general password,\u201d said one of the engineers who spoke on condition of anonymity.<\/p>\n<p>Safaricom did not respond to a request for comment.<\/p>\n<p>The workaround was quietly exploited by users and, in some cases, aided by Safaricom\u2019s outsourced sales agents. When a subscription lapsed, customers could pay agents\u2014sometimes as little as KES 1,000 ($8)\u2014to reset the router and input new credentials. This would restore service without any official payment to Safaricom, bypassing the full monthly charges that typically range between <a href=\"https:\/\/techcabal.com\/2024\/09\/23\/safaricom-internet-speeds-upgraded\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">KES 2,999 ($23) and KES 20,000 ($155).<\/a><\/p>\n<p>\u201cIt became common in certain areas,\u201d another engineer added. \u201cThe router would be reset, and someone with access to credentials would get the customer back online without Safaricom ever getting paid.\u201d<\/p>\n<p>Because the system only allowed one session per account, this workaround worked best with unused or expired accounts, many of which were hijacked without the knowledge of legitimate users. In other cases, users were knowingly complicit in the scheme. Internally, the Safaricom fibre team knew about the abuse, but the vulnerability proved difficult to resolve quickly. Parts of the system relied on legacy infrastructure from the telco\u2019s early fibre deployment days, and fixes would have required deep changes across the network backend.\u00a0<\/p>\n<p>\u201cThis wasn\u2019t something you could patch with one update,\u201d said the engineer.<\/p>\n<p>The issue persisted for years as Safaricom rapidly scaled its fixed broadband business, adding thousands of new connections monthly. But by 2024, Safaricom implemented long-overdue changes: unique, complex passwords were enforced for every account, and session restrictions were tightened to ensure that no more than one connection per account could be active at a time. It\u00a0<\/p>\n<p>\u201cIf one were to somehow get hold of the username and password, they would still not be able to use it as only one session is allowed,\u201d the engineer said.\u00a0<\/p>\n<p>While Safaricom has not disclosed the exact revenue loss, internal estimates suggest that the loophole cost the company tens of millions of Kenyan shillings\u2014probably more, over several years. Insiders say the losses could have been far greater had the vulnerability not been quietly managed and eventually resolved.<\/p>\n<p>According to the latest regulator data, Safaricom controls 36.5% of Kenya\u2019s fixed internet market and serves 678,118 customers, making it the country\u2019s largest internet service provider.<\/p>\n<p>Mark your calendars! Moonshot by TechCabal is back in Lagos on October 15\u201316! Join Africa\u2019s top founders, creatives &amp; tech leaders for 2 days of keynotes, mixers &amp; future-forward ideas. Early bird tickets now 20% off\u2014don\u2019t snooze!\u00a0<a href=\"http:\/\/moonshot.techcabal.com\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">moonshot.techcabal.com<\/a><\/p>\n<p><img decoding=\"async\" width=\"1024\" height=\"576\" loading=\"lazy\" src=\"https:\/\/www.newsbeep.com\/au\/wp-content\/uploads\/2025\/07\/Moonshot-Announcement-Flyers1920-x-1080-1-1024x576.jpg\" alt=\"\" class=\"wp-image-163320\" style=\"width:1024px;height:auto\"  \/><\/p>\n","protected":false},"excerpt":{"rendered":"Safaricom has fixed a long-standing technical loophole in its Home Fibre network that allowed thousands of customers to&hellip;\n","protected":false},"author":2,"featured_media":6840,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[18],"tags":[64,63,237,105],"class_list":{"0":"post-6839","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-internet","8":"tag-au","9":"tag-australia","10":"tag-internet","11":"tag-technology"},"_links":{"self":[{"href":"https:\/\/www.newsbeep.com\/au\/wp-json\/wp\/v2\/posts\/6839","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.newsbeep.com\/au\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.newsbeep.com\/au\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.newsbeep.com\/au\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.newsbeep.com\/au\/wp-json\/wp\/v2\/comments?post=6839"}],"version-history":[{"count":0,"href":"https:\/\/www.newsbeep.com\/au\/wp-json\/wp\/v2\/posts\/6839\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.newsbeep.com\/au\/wp-json\/wp\/v2\/media\/6840"}],"wp:attachment":[{"href":"https:\/\/www.newsbeep.com\/au\/wp-json\/wp\/v2\/media?parent=6839"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.newsbeep.com\/au\/wp-json\/wp\/v2\/categories?post=6839"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.newsbeep.com\/au\/wp-json\/wp\/v2\/tags?post=6839"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}