A news story about the hacking of three million smart toothbrushes to create a massive botnet used to launch a distributed denial of service cyberattack against a Swiss organization has gone viral. However, many in the information security industry, including myself, have trouble finding evidence to support the story.
What’s Behind The Viral Story Of 3 Million Hacked Smart Toothbrushes?
Searching Google reveals that everything from national newspapers to online technology publications have picked up the viral story of three million hacked smart toothbrushes attacking an unnamed Swiss business by way of a DDoS botnet.
However, the headlines certainly raised a few eyebrows within the information security community online, not least as there is very little by way of specifics in any of the reports and a distinct lack of technical explanations as to quite how such a massive botnet, one of the biggest on record, was created.
The story has arisen from comments provided to the Swiss publication by an engineer from the Swiss arm of security vendor Fortinet. I have contacted Fortinet for clarification regarding the root of this viral story and will provide an update if I hear back.
Security Experts Call BS On Toothbrush Botnet Story
One highly-respected industry veteran, Kevin Beaumont, better known as GossitheDog online, was quick to claim the story wasn’t true. Others such as Robert Graham, ErrataRob on Twitter/X, also called BS on the claim.
Meanwhile, at my request, Dirk Schrader, vice-president of security research at Netwrix, and a native German speaker, took a look at the original article that appeared in the Swiss newspaper Aargauer Zeitung. Schrader told me that the original article doesn’t mention any type or model of toothbrush, the name of the victim or the suspected perpetrator, or the motive behind the distributed denial of service attack.
“It appears to be a rather generic tale warning of the need to protect any device, large or small, connected to the internet,” Schrader says, “my feeling is that this is a theoretical and poorly explained example, later in the same piece there’s another such example of how to use open-source intelligence to infiltrate an organization.”
The Truth Behind The Viral Warning
Most smart toothbrushes are Bluetooth Low Energy enabled rather than connecting by WiFi, although some do have that capability. However, whether it’s feasible that three million could have been hacked is highly debatable. Without firm evidence, which I have asked Fortinet to provide, the clever money would agree with Schrader that this is a case of something lost in translation that has run wild.
Not that the underlying threat from so-called Internet of Things devices isn’t something to take seriously. It most certainly is. “While the theory is valid, and DDoS attacks abusing operational technology devices have happened in the past,” Schrader concludes, “this kind of report does not help to secure smart devices. It doesn’t give any advice about how to securely connect smart devices using multi-factor authentication features or something similar.”