A news story about the hacking of three million smart toothbrushes to create a massive botnet used to launch a distributed denial of service cyberattack against a Swiss organization has gone viral. However, many in the information security industry, including myself, have trouble finding evidence to support the story.
02/08 updates below. This article was originally published on February 7.
What’s Behind The Viral Story Of 3 Million Hacked Smart Toothbrushes?
Searching Google reveals that everything from national newspapers to online technology publications have picked up the viral story of three million hacked smart toothbrushes attacking an unnamed Swiss business by way of a DDoS botnet.
However, the headlines certainly raised a few eyebrows within the information security community online, not least as there is very little by way of specifics in any of the reports and a distinct lack of technical explanations as to quite how such a massive botnet, one of the biggest on record, was created.
The story has arisen from comments provided to the Swiss publication by an engineer from the Swiss arm of security vendor Fortinet. I have contacted Fortinet for clarification regarding the root of this viral story and will provide an update if I hear back.
Update February 8: A Fortinet spokesperson has provided the following statement:
“To clarify, the topic of toothbrushes being used for DDoS attacks was presented during an interview as an illustration of a given type of attack, and it is not based on research from Fortinet or FortiGuard Labs. It appears that due to translations the narrative on this topic has been stretched to the point where hypothetical and actual scenarios are blurred.”
Update February 8: The author of the orginal article refutes the Fortinet narrative and insists the ‘example’ was presented as a real case.
The author of the original article published by Aargauer Zeitung, Ann-Kathrin Amstutz, contacted Forbes following the publication today of an update to this story in the format of a statement from Fortinet which claimed there was no real attack. That statement suggested that “due to translations the narrative on this topic has been stretched to the point where hypothetical and actual scenarios are blurred.” However, Amstutz told Forbes that “In a statement today, Fortinet’s head office claimed that the scenario was hypothetical and that we had ‘streched the narrative.’ We counter this with the report on how the article came about.”
Indeed, Amstutz was so keen to point out that the idea that somehow the narrative had been stretched in the original article was not true that a newly published rebuttal of this narrative has now gone to press. This has quite a different takle to tell.
Although this is also in the German language, a machine translation reveals a vert different story to the one that Fortinet is portraying. The publication says that while Fortinet claims the toothbrush case was used as an example of a DDoS attack during an interview, the ‘example’ was, in fact, presented as reality.
“What is now called a ‘translation problem’ by the Fortinet headquarters in California, sounded very different during the research. Swiss Fortinet representatives described the toothbrush case as a real DDoS attack at a meeting that was about current threat situations. Fortinet provided concrete details: information about how long the attack paralyzed the website of a Swiss company and an order of magnitude of how much the damage incurred was. Fortinet did not want to disclose which company it was out of consideration for its customer.”
The rebuttal goes as far as to state that the text of the original article was forwarded to Fortinet for verification before it was published and “The sentence that it is a real case that really happened in this way was not objected to.”
The email that was sent by Fortinet that included the statement I published as an update to this story actually included some more information that I did not publish at the time. However, in light of the newly published rebuttal, I think it should be added now. This is what else the Fortinet spokesperson had to say:
“The Mirai botnet has been dethroned from its #1 position. In the 2H 2022 Global Threat Landscape Report from FortiGuard Labs, which was released on February 22, 2023, Mirai sat at #1 in terms of Volume per Organization. Between Q3 and Q4 2023, Mirai volume of command-and-control detection subsided 36% and now currently sits at #5. FortiGuard Labs has not observed Mirai or other IoT botnets target toothbrushes or similar embedded devices.”
I have reached out to Fortinet once more with this new information, and I will update the story if there is any further communication.
Security Experts Call BS On Toothbrush Botnet Story
One highly-respected industry veteran, Kevin Beaumont, better known as GossitheDog online, was quick to claim the story wasn’t true. Others such as Robert Graham, ErrataRob on Twitter/X, also called BS on the claim.
Meanwhile, at my request, Dirk Schrader, vice-president of security research at Netwrix, and a native German speaker, took a look at the original article that appeared in the Swiss newspaper Aargauer Zeitung. Schrader told me that the original article doesn’t mention any type or model of toothbrush, the name of the victim or the suspected perpetrator, or the motive behind the distributed denial of service attack.
“It appears to be a rather generic tale warning of the need to protect any device, large or small, connected to the internet,” Schrader says, “my feeling is that this is a theoretical and poorly explained example, later in the same piece there’s another such example of how to use open-source intelligence to infiltrate an organization.”
The Truth Behind The Viral Warning
Most smart toothbrushes are Bluetooth Low Energy enabled rather than connecting by WiFi, although some do have that capability. However, whether it’s feasible that three million could have been hacked is highly debatable. Without firm evidence, which I have asked Fortinet to provide, the clever money would agree with Schrader that this is a case of something lost in translation that has run wild.
Not that the underlying threat from so-called Internet of Things devices isn’t something to take seriously. It most certainly is. “While the theory is valid, and DDoS attacks abusing operational technology devices have happened in the past,” Schrader concludes, “this kind of report does not help to secure smart devices. It doesn’t give any advice about how to securely connect smart devices using multi-factor authentication features or something similar.”