JTL Faiba Router Compromises in Nairobi

2025-03-26

Malicious hackers are configuring home routers to misdirect traffic.

Recently I've heard reports that their JTL Faiba home customers are receiving "insecure site" warnings when accessing HTTPS sites, and redirecting people to a Kenya-based sports betting site.

When accessing the internet, browsers are occasionally redirected to sites advertising gambling, and possibly other content.

This technique is called pharming, and is the result of DNS hijacking.

a JTL Faiba ZTE F670L router, hard at work

Jamii Telecommunication Ltd is the second biggest fixed-line internet provider in Kenya^[1]:

How does the issue present?

On browsing the web, you may see:

sites showing unexpected content
redirection to unexpected sites
security warnings when browsing to sites you trust

In Chrome, it looks something like this:

Partial screenshot from Chrome browser of warning that 'Your connection is not private' while trying to access basecamp.com

Also note the warning in the browser's address bar:

Screenshot of Chrome browser's address bar with https protocol struck through

If you log into your router's admin portal, you will see something like this in the DNS settings:

Screenshot of router's DHCP config, with malicious DNS servers configured

and

Screenshot of router's local network DNS config, with malicious DNS servers configured

What's going on, technically?

Malicious hackers are changing routers' upstream DNS server config to point to malicious DNS servers.

The DNS servers include:

IP address	Location^[2]
`77.73.131.151`	KZ, Kazakhstan
`83.147.255.216`	IR, Iran, Islamic Republic of
`89.208.105.113`	RU, Russian Federation
`185.174.137.240`	RU, Russian Federation

These malicious DNS servers are then redirecting some traffic to the wrong destination:

$ dig basecamp.com
...
basecamp.com.   20  IN  A 89.208.107.49

Here's how a well-behaved DNS server should respond:

$ dig @8.8.8.8 basecamp.com
...
basecamp.com.   300 IN  A 104.18.14.58
basecamp.com.   300 IN  A 104.18.15.58

Also, this misdirection is inconsistent: misdirected DNS results have a short time-to-live of 20 seconds, and will often return correct results.

This gives users on compromised networks a feeling of uncertainty about the problem - their WiFi is gaslighting them:

$ dig basecamp.com
...
basecamp.com.   20  IN  A 104.18.14.58

How did they get in?

Some JTL routers are configured by default to serve their admin pages at https://192.168.1.1, accessible over WiFi, and with default username admin, and password admin. These defaults are quite easy to guess.

Presumably:

there is some way to access the router configuration pages over a wider network, or
there is another mechanism for configuring these routers, or
already-compromised devices on the local network are being used to compromise the routers

What other risks are there?

There may be other malicious configurations being applied to these routers, or the routers may be compromised through the same mechanism for other nefarious purposes like building botnets.
If routers are being misconfigured through the local LAN or WiFi, there may be malicious devices with access to the network
Visits to websites may have been completely hijacked, e.g. banking sites. This is unlikely^[3].

How can you fix it?

Reset the router to factory settings
Change the router admin credentials
Change the WiFi SSID and password

Warning Warning!

You can access the router's admin portal at https://192.168.1.1.

This page should show a security warning just like the warnings above:

screenshot showing a DNS certificate warning when trying to access router config page at https://192.161.1.1

Confusingly, this warning is completely normal! You can safely click Advanced -> Proceed.

It's worth checking http://192.168.1.1 as well if you can't access your router over HTTPS. Some JTL routers of the same model are not accessible at all; it's unclear if these configuration differences are deliberate.

SSID

This is the WiFi network name.

Pick a name which doesn't contain personally-identifying information, and doesn't identify the router as being from JTL. An example of a bad name would be Peter Faiba.

Password

Pick a password which is hard to guess.

This could be 12+ random characters, or a long random phrase like correcthorsebatterystaple.

What equipment is affected?

So far, I've seen the following routers compromised:

Manufacturer: ZTE

Products:

GPON ONT
GPON Terminal

Models:

ZXHN F660 (2015)
F670L (2024)

Conclusion

If you think your Faiba internet is being weird, check the DNS settings!

Footnotes

^ First quarter sector statistics report for the financial year 2024/2025, p. 13 section 2.6
^ these locations were determined using linux util geoiplookup
^ If you did not ignore the browser certificate warnings, you are likely OK. It's still possible you were tricked in a "man-in-the-middle" attack, but there are various technical things which may have prevented this (described below). Also, man-in-the-middle attacks on a particular website require a level of customisation by the attackers which might not provide high enough return-on-investment when hacking Kenyan domestic customers.

If you access your banking through a mobile app, it's likely that the app uses certificate pinning, and would not be vulnerable to man-in-the-middle attacks.

For websites, well-secured sites use HSTS which means that sites you have visited previously on a particular device are not vulnerable to man-in-the-middle attacks.