Six-Year Flaw in the Safaricom Home Fiber System Finally Patched

For six years, Safaricom unknowingly ran what amounted to an honor system for internet access. A critical flaw in its Safaricom Home Fiber system meant that thousands of customers could bypass official billing entirely, accessing broadband services for free or at bargain-basement rates.

The vulnerability, which persisted from at least 2018 until 2024, turned Safaricom’s authentication system into something resembling a master key scenario.

While the company required customers to log in with both a username and password through Point-to-Point Protocol over Ethernet (PPPoE), the system accepted a single, universal password across all accounts.

This meant that anyone with knowledge of the generic password could potentially access the network using any valid account number as their username. To picture this, imagine if your bank accepted the same PIN for every account holder, and you just needed to know someone’s account number to get in.

What started as a technical oversight quickly evolved into an informal economy. Safaricom’s outsourced sales agents, who were supposed to help customers set up legitimate connections, became key players in this unauthorized network.

When customers’ subscriptions expired, these agents offered an alternative payment plan that had nothing to do with Safaricom’s official billing system.

For as little as KES 1,000, customers could pay agents to reset their routers and input new credentials. This restored their Home Fiber internet service without any money flowing to Safaricom, effectively bypassing monthly charges that typically ranged from KES 2,999 to 20,000.

The scheme worked especially well with expired or unused accounts. Many legitimate account holders remained completely unaware that their dormant connections were being hijacked to provide service to others.

In some cases, customers were knowingly complicit, essentially crowdsourcing their internet access through shared credentials.

Engineers familiar with the system described it as an open secret in certain neighborhoods. The word spread quietly through communities, creating pockets where nearly everyone knew someone who could get them back online for a fraction of the official price.

Safaricom’s technical team was aware of the vulnerability, but fixing it proved far more complicated than anyone anticipated. The flaw was embedded deep within the legacy infrastructure from the company’s early fiber deployment days.

The authentication system that enabled this workaround was built on older architectural decisions that seemed reasonable at the time but created cascading problems as the network scaled.

Engineers described it as needing to rebuild the foundation while the house was still occupied, a challenging task when you’re adding thousands of new customers every month.

The rapid expansion of Safaricom’s fiber network, which helped cement its position as Kenya’s dominant internet provider, ironically made the vulnerability harder to address.

Any comprehensive fix would require significant changes to backend systems that were actively serving hundreds of thousands of customers.

After years of revenue leakage, Safaricom finally implemented a comprehensive solution last year. The fix involved two key changes that changed its authentication system.

First, the company enforced unique, complex passwords for every single account, eliminating the universal password that had enabled the entire scheme.

Second, they tightened session restrictions to ensure that only one connection per account could be active at any given time, preventing the sharing of credentials across multiple locations.

The new system means that even if someone somehow obtains valid login credentials, they can’t use them unless the legitimate account holder is offline. This effectively ended the informal economy that had grown around shared internet access.

Although Safaricom has remained officially silent about the extent of its losses, internal estimates suggest the Home Fiber vulnerability cost the company tens of millions of Kenyan shillings over the years it remained unpatched.

Given the scale of the network and the number of customers potentially affected, the actual figure could be substantially higher.

Beyond just lost subscription fees, resources were spent in investigating usage patterns, implementing workarounds, and ultimately developing the fix that resolved the issue. There’s also the intangible cost to the company’s reputation and the potential impact on investor confidence.

Still, Safaricom has managed to maintain and expand its market leadership throughout this period. According to regulatory data, the company now controls 36.5% of Kenya’s fixed internet market, serving 678,118 customers as the country’s largest internet service provider.