Internet Traffic Tampering: Safaricom on the spot

CIPIT has been conducting network measurements on Kenyan Internet Service Providers (ISPs) since June 2016 using assorted techniques. Between 6 – 10 February 2017, our data indicated the presence of a middle-box on the cellular network of one provider, Safaricom Limited (AS33771) that had not previously presented any signs of traffic manipulation. Middle-boxes assume dual-use character in that they can be used for legitimate functions (e.g., network optimisation) and can simultaneously be used for traffic manipulation, surveillance and aiding censorship. We reached out to Safaricom and after our conversation, the signs disappeared but no official comment was made.

You can get the research brief here.

this validates my theory that Endace equipment is being installed at the KIXP or ISP level,one of the only middle boxes that can handle the kind of volumes Safaricom deals with on a daily…

So this was shared with me in another forum by Safaricom comms.

"We have noted CIPTs claim and wish to state categorically that Safaricom does not in any way alter internet traffic. In addition, Safaricom did reach out to CIPT through a conference call with our engineers on 24th February 2017, which we believed was the best way to engage on this issue as it is technical and both parties had a chance to express their position.
From our understanding, CIPT use an application called Ooniprobe to test whether there is any alteration of a packet sent through a particular ISPs network. It uses crowdsourcing to collect information about a network, which is later uploaded to an analytics server whose front-end is the website. In order to test tampering it makes use of detuned / altered / crafted HTTP parameters. The crafted HTTP packet is then directed towards dedicated servers that echo back HTTP header(s). The expectation is that such a crafted packet should not be subject to any form of network manipulation, even if the query used is wrong it should echo back as sent.
In the discussions we had with CIPT, we clarified that on our network, we strictly follow the correct formats of the HTTP version on the optimisation gateway, because packets are expected in the correct HTTP format as per agreed global standards (RFC 2616: Section 2.2). Any crafted or altered packets that violate the accepted correct HTTP formats generate an error. So by CIPT sending a packet that has its HTTP parameters detuned/altered, they would receive an error as explained above. This is not evidence of a middle box as now alleged.
We have also observed a concerning trend where entities use the same packet crafting methods mentioned above to defraud the ISP by tunneling traffic through zero rated sites (i.e. by-passing billing).
In summary, we have a standard ISP traffic optimizer whose sole purpose is to optimize quality of experience, to deliver service to our customers without bias, and does not alter traffic.
We further state that anyone testing our network within accepted RFC standards will be able to establish that our network does not in any way alter internet packets.”

  • Stephen Chege, Director – Corporate Affairs, Safaricom.

This was an actual confirmation that indeed they do have a middle-box. This is not an indication of any malice of any sorts, but it just shows that in fact a device that understands the HTTP protocol is present between the path of the probe and our control vantage point.

That is why we followed up, asked questions but unfortunately never got a final answer even after engaging the subject matter experts at Safaricom.

This method has been used to unmask censorship and surveillance equipment around the world like BlueCoat.

1 Like

I think Zuku just installed theirs on Friday. Some services including the Equitel App have refused to work on their network

Hello Dree.
What nudged you to your theory? Any experience, hints, incidences that triggered your thinking along those lines?

Hello Boaz. You may run the tests on your end using a mobile app (Android or iOS) or if you are on a Unix-based platform run from the terminal or browser

When you run the test (HTTP Invalid line request), you get the preliminary results on your end immediately and as the measurements are processed in the pipeline, they are sense-beaten to make sure they are not false-positives. Also, you should at the point of testing be on a direct connection with the ISP you want to test, not through a VPN. A VPN tests on the servers you are connecting through (if VPN is in Iceland, you will be testing the Icelandic network hosting your connection)

first,there was the wikileaks dossier that showed that the Kenya govt was exploring new ways of surveillance and capabilities to control/censor the internet locally.Recent events in Uganda made me realize that blocking the internet is a possibility but due to the value of technology and internet access locally an outright block of the internet is not feasible for the economy.So to mitigate this,the Govt had to find a way to block social media without affecting vital services offered over the internet,The dossier mentioned Endace and other foreign companies supplying equipment to african countries like Kenya,SA and guys like NSA,GCHQ e.t.c.So far no local incident has occurred but i believe the Govt already has the technical capabilities and will use them for the sake of National Security if violence erupts.

1 Like

Doing them and will keep my eyes open. But we should be aware if surveillance is not yet here, it’s coming.

Thanks for this one :+1:

So I did my tests and see for yourself Zuku.

I did three tests, one for Zuku, one for Safaricom and another for JTL, all on my Android phone, same location on the same app.

Safaricom was clean, Zuku and Faiba didn’t report tampering, but they (Zuku and Faiba) did report cases of possible censorship.

Cool. Thank you for running the tests.

I will review the measurements on the backend and get more details. Some false positives are ironed out in the pipeline before being posted on the public looking end (explorer.ooni)

Also, if you would like to dive into the data, there is an API for that: