JTL Faiba Router Compromises in Nairobi
2025-03-26
Malicious hackers are configuring home routers to misdirect traffic.
Recently I've heard reports that their JTL Faiba home customers are receiving "insecure site" warnings when accessing HTTPS sites, and redirecting people to a Kenya-based sports betting site.
When accessing the internet, browsers are occasionally redirected to sites advertising gambling, and possibly other content.
This technique is called pharming, and is the result of DNS hijacking.

Jamii Telecommunication Ltd is the second biggest fixed-line internet provider in Kenya[1]:
How does the issue present?
On browsing the web, you may see:
- sites showing unexpected content
- redirection to unexpected sites
- security warnings when browsing to sites you trust
In Chrome, it looks something like this:

Also note the warning in the browser's address bar:

If you log into your router's admin portal, you will see something like this in the DNS settings:

and

What's going on, technically?
Malicious hackers are changing routers' upstream DNS server config to point to malicious DNS servers.
The DNS servers include:
IP address | Location[2] |
---|---|
77.73.131.151 |
KZ, Kazakhstan |
83.147.255.216 |
IR, Iran, Islamic Republic of |
89.208.105.113 |
RU, Russian Federation |
185.174.137.240 |
RU, Russian Federation |
These malicious DNS servers are then redirecting some traffic to the wrong destination:
$ dig basecamp.com
...
basecamp.com. 20 IN A 89.208.107.49
Here's how a well-behaved DNS server should respond:
$ dig @8.8.8.8 basecamp.com
...
basecamp.com. 300 IN A 104.18.14.58
basecamp.com. 300 IN A 104.18.15.58
Also, this misdirection is inconsistent: misdirected DNS results have a short time-to-live of 20 seconds, and will often return correct results.
This gives users on compromised networks a feeling of uncertainty about the problem - their WiFi is gaslighting them:
$ dig basecamp.com
...
basecamp.com. 20 IN A 104.18.14.58
How did they get in?
Some JTL routers are configured by default to serve their admin pages at https://192.168.1.1, accessible over WiFi, and with default username admin
, and password admin
. These defaults are quite easy to guess.

Presumably:
- there is some way to access the router configuration pages over a wider network, or
- there is another mechanism for configuring these routers, or
- already-compromised devices on the local network are being used to compromise the routers
What other risks are there?
- There may be other malicious configurations being applied to these routers, or the routers may be compromised through the same mechanism for other nefarious purposes like building botnets.
- If routers are being misconfigured through the local LAN or WiFi, there may be malicious devices with access to the network
- Visits to websites may have been completely hijacked, e.g. banking sites. This is unlikely[3].
How can you fix it?
- Reset the router to factory settings
- Change the router admin credentials
- Change the WiFi SSID and password
Warning Warning!
You can access the router's admin portal at https://192.168.1.1.
This page should show a security warning just like the warnings above:

Confusingly, this warning is completely normal! You can safely click Advanced -> Proceed.
It's worth checking http://192.168.1.1 as well if you can't access your router over HTTPS. Some JTL routers of the same model are not accessible at all; it's unclear if these configuration differences are deliberate.
SSID
This is the WiFi network name.
Pick a name which doesn't contain personally-identifying information, and doesn't identify the router as being from JTL. An example of a bad name would be Peter Faiba
.
Password
Pick a password which is hard to guess.
This could be 12+ random characters, or a long random phrase like correcthorsebatterystaple
.
What equipment is affected?
So far, I've seen the following routers compromised:
Manufacturer: ZTE
Products:
GPON ONT
GPON Terminal
Models:
ZXHN F660
(2015)F670L
(2024)
Conclusion
If you think your Faiba internet is being weird, check the DNS settings!
Footnotes
-
^ First quarter sector statistics report for the financial year 2024/2025, p. 13 section 2.6
-
^ these locations were determined using linux util
geoiplookup
-
^ If you did not ignore the browser certificate warnings, you are likely OK. It's still possible you were tricked in a "man-in-the-middle" attack, but there are various technical things which may have prevented this (described below). Also, man-in-the-middle attacks on a particular website require a level of customisation by the attackers which might not provide high enough return-on-investment when hacking Kenyan domestic customers.
If you access your banking through a mobile app, it's likely that the app uses certificate pinning, and would not be vulnerable to man-in-the-middle attacks.
For websites, well-secured sites use HSTS which means that sites you have visited previously on a particular device are not vulnerable to man-in-the-middle attacks.