Safaricom rectifies years-long router vulnerability, enabling users to illegitimately access home fiber network for free
In a recent development, Safaricom, Kenya's largest internet service provider, has acknowledged and rectified a technical loophole in its Home Fibre network that allowed customers to access internet services for free or at a discounted rate between 2018 and 2024.
The loophole, which cost Safaricom tens of millions of Kenyan shillings in lost revenue over several years, was primarily exploited using unused or expired accounts, often hijacked without the knowledge of legitimate users. Some users were even knowingly complicit in the scheme, with outsourced sales agents aiding the workaround quietly.
The system used Point-to-Point Protocol over Ethernet (PPPoE), which required a unique username but accepted a single, generic password. This weakness in router authentication protocols on Safaricom's fixed broadband network allowed multiple connections per account, a critical flaw that exposed weaknesses in the company's broadband infrastructure during its rapid expansion.
Safaricom, which controls 36.5% of Kenya's fixed internet market and serves 678,118 customers, did not respond to a request for comment regarding the issue. The exact amount of revenue lost due to this network loophole is not publicly available, as such details are typically confidential and not disclosed in public financial reports.
The loophole persisted for years, but by 2024, Safaricom implemented changes. Unique, complex passwords were enforced for every account, and session restrictions were tightened, effectively closing the loophole.
The issue raises questions about internal controls at Safaricom, especially as it cements its dominance in Kenya's fixed internet market. Safaricom's response and any potential consequences of the network loophole will be closely watched by regulators, investors, and the public.
On a separate note, the Moonshot event by our website is back in Lagos on October 15-16. Join Africa's top founders, creatives & tech leaders for 2 days of keynotes, mixers & future-forward ideas. Early bird tickets are now 20% off. (This is an advertisement and not a fact.)
- The loophole in Safaricom's Home Fibre network, which cost the company millions due to free or discounted internet services since 2018, was enabled by weak router authentication protocols and exploited using unused accounts, often without the knowledge of legitimate users.
- The system's vulnerability, which was primarily due to the use of a single generic password, exposed weaknesses in Safaricom's broadband infrastructure during its rapid expansion, raising questions about internal controls within the company.
