Security firm now says toothbrush DDOS attack didn't happen, but source publication says company presented it as real

Toothbrushes
(Image credit: Shutterstock (2275365833))

Update 2 — 2/9/2024 6:30am PT: The security company at the nexus of the original report that three million toothbrushes were used in a DDOS attack has now retracted the story and claimed it was a result of a mistranslation — but according to the news outlet that published the initial report, that statement isn't true. The reports of this story are not based on a mistranslation by the media. The publication claims Fortinet presented the story as having actually happened and approved the text of the article, which had been submitted to Fortinet prior to publication.

Here's the Aargauer Zeitung's (the source of the story) statement on the matter (via Google Translate):

What the Fortinet headquarters in California is now calling a “translation problem” sounded completely different during the research: Swiss Fortinet representatives described the toothbrush case as a real DDoS at a meeting that discussed current threats -Attack described.

Fortinet provided specific details: information about how long the attack took down a Swiss company's website; an order of magnitude of how great the damage was. Fortinet did not want to reveal which company it was out of consideration for its customers.

The text was submitted to Fortinet for verification before publication. The statement that this was a real case that really happened was not objected to.

Fortinet's global management has now backtracked on its statement, which was sent to various international media outlets. The company also failed to send this to CH Media. We have not yet received any further statements from Fortinet."

EDIT 2/7/2024 — 3:30pm PT: Fortinet sent us a statement indicating that the report of the toothbrush attack is inaccurate:

"To clarify, the topic of toothbrushes being used for DDoS attacks was presented during an interview as an illustration of a given type of attack, and it is not based on research from Fortinet or FortiGuard Labs. It appears that due to translations the narrative on this topic has been stretched to the point where hypothetical and actual scenarios are blurred." - Fortinet. 

The original text of the source report read:

“She's in the bathroom at home, but she's part of a large-scale cyber attack. The electric toothbrush is programmed with Java, and criminals have unnoticed installed malware on it - like on 3 million other toothbrushes. One command is enough and the remote-controlled toothbrushes simultaneously access the website of a Swiss company. The site collapses and is paralyzed for four hours. Millions of dollars in damage is caused.

This example, which seems like a Hollywood scenario, actually happened. It shows how versatile digital attacks have become.” [Emphasis Added]

A German-language outlet reported on the story as having "actually happened," indicating the translation is accurate, and multiple German speakers have confirmed that the passage saying the attack "actually happened" is an accurate translation. It remains to be seen if Aargauer Zeitung (the original source) will issue a correction. 

Original article:

According to a recent report published by the Aargauer Zeitung (h/t Golem.de), around three million smart toothbrushes have been infected by hackers and enslaved into botnets. The source report says this sizable army of connected dental cleansing tools was used in a DDoS attack on a Swiss company’s website. The firm’s site collapsed under the strain of the attack, reportedly resulting in the loss of millions of Euros of business.

In this particular case, the toothbrush botnet was thought to have been vulnerable due to its Java-based OS. No particular toothbrush brand was mentioned in the source report. Normally, the toothbrushes would have used their connectivity for tracking and improving user oral hygiene habits, but after a malware infection, these toothbrushes were press-ganged into a botnet.

Stefan Züger from the Swiss branch of the global cybersecurity firm Fortinet provided the publication with a few tips on what people could do to protect their own toothbrushes – or other connected gadgetry like routers, set-top boxes, surveillance cameras, doorbells, baby monitors, washing machines, and so on.

“Every device that is connected to the Internet is a potential target – or can be misused for an attack,” Züger told the Swiss newspaper. The security expert also explained that every connected device was being continually probed for vulnerabilities by hackers, so there is a real arms race between device software/firmware makers and cyber criminals. Fortinet recently connected an ‘unprotected’ PC to the internet and found it took only 20 minutes before it became malware-ridden.

We don’t have the finer-grained details of the specific Swiss company targeted and suffered from the extremely costly DDoS attack. However, it is common for malicious actors to issue threats with monetary demands attached before weaponizing their DDoS zombie army. Perhaps the Swiss firm refused to pay up, or perhaps the malicious actors instigated this attack to show their muscle (teeth?) ahead of making any demands.

Though we don’t have the finer details of the DDoS story, it serves as yet another warning for device owners to do their best to keep their devices, firmware, and software updated; monitor their networks for suspicious activity; install and use security software; and follow network security best practices.

We've reached out to Fortinet for comment and will update this story as necessary. 

Note: This article title originally read "Three million malware-infected smart toothbrushes used in Swiss DDoS attacks — botnet causes millions of euros in damages," but we altered that to represent the new developments. 

TOPICS
Mark Tyson
News Editor

Mark Tyson is a news editor at Tom's Hardware. He enjoys covering the full breadth of PC tech; from business and semiconductor design to products approaching the edge of reason.

  • PEnns
    Somebody remind please, again: Why does something like a toothbrush need to be connected??

    People are really asking for trouble with this kind of "let's connect everything...because it's so cool"!
    Reply
  • peachpuff
    PEnns said:
    Somebody remind please, again: Why does something like toothbrush need to be connected??

    People are really asking for trouble with this kind of "let's connect everything...because it's so cool"!
    To get on the toothbrush leader board... duh.
    Reply
  • Phaaze88
    'Smart' toothbrushes... holy crap, humanity.
    Insert that saying about, 'because we can, doesn't mean we should'.

    Replace the word smart with dumb.
    Reply
  • chaz_music
    In general if the product name has "smart" as part of its description, you should be very wary.

    The amount of engineering effort needed to make IoT devices truly secure on the Internet is substantial, and many times the engineering team is rather green and not knowing what they don't know. Add to this that many companies will outsource their product development to design groups only based upon cost of the project, you end up with catastrophes like this story. Even larger companies like HP have had problems with IoT printers and they had to go through growing pains to get the security right, with lots and lots of reuse of code, checks, etc. And most design teams are only cost focused, and don't want to add the cost of using more mature RF/networking products with the included code stacks such as by TI, Laird, Qualcomm, NXP, etc.

    So far, I have read about or myself found compromised devices in nearly all market areas: garage door openers, refrigerator, printers (why have Internet printing??!), smart doorbell cameras with off site recording, inexpensive network switches, smart LED lights (often color changing types), cars, RVs, phones (my goodness, that just makes you want to say damnit!), and now toothbrushes. And the hacked system vector is not always WiFi, as there are many other RF systems with another popular one to goof up being Bluetooth. The first automotive Bluetooth systems could be easily compromised, with one car type being used in a proof of concept in which the car was controlled by a passing car and the brakes were locked up while the car was traveling at highway speeds, triggering the anti lock brakes. And think about the Hyundai and Kia vehicles that can easily be stolen with a USB device. Same stuff.

    One of my biggest scare was not even with an RF based device but instead an Ethernet connected SCADA device from many years ago. It had a huge installed base, and it was sending data back on forth through the network using ... ASCII. Yep. And it was SCADA. Used in power plants, substations, transformers, generators, ...

    So the culprits are:
    1. Businesses only counting R&D and BOM costs, with virtually no consequence for poor security quality.
    2. Complacent and less knowledgeable engineers who are completely in charge of making serious decisions about cost vs. security.
    3. Designing IoT tech into devices and leaving the update complexity up to the user. In my opinion, the user should never be required to be in the technology loop to make their devices safe. This is not the same as when it is used based upon common knowledge (driving a car, drinking hot coffee).

    The expected long term fix for industrialized nations is going to be more safety agency regulations, So think of UL in the US and CE/IEC in Europe. These protect the consumer from poorly designed products, but these always add cost (no free lunch). I hate going in that direction because it will cause many clever products to go away, and others to never come to market.
    Reply
  • Murissokah
    Not trying to pick on Java, but why do you need Java on a toothbrush?
    Reply
  • Giroro
    Murissokah said:
    Not trying to pick on Java, but why do you need Java on a toothbrush?
    That ones easy: Because it's cheaper to have first-year computer scientists ridiculously overbuild the system with off the shelf demo code than to hire electronics engineers who know how to write efficient firmware.
    The toothbrush probably has (and maybe needs) a multi-core ARM CPU as well, because you can just pass that extra $1 in hardware costs off to the customer in the $300+ asking price I know Philips/Oral-B charges for the smart version of a toothbrush with near identical brushing performance to the $30 non-smart version.
    Reply
  • newtechldtech
    PEnns said:
    Somebody remind please, again: Why does something like toothbrush need to be connected??

    People are really asking for trouble with this kind of "let's connect everything...because it's so cool"!

    to sell them expensive 10 times the cost. it is all abut the $ and fooling the masses
    Reply
  • Giroro
    I sort-of understand how a marketing executive could want the company to sell a Bluetooth toothbrush.
    App tracking enabling access to a customer's sellable information, a branded billboard app icon on the users phone, etc etc. All the usual reasons to have an app. You can sell it to customers as having a fancy timer or whatever. I kinda get it.

    But why in the world would they pay engineers to enable wifi in the thing? It's probably built into their SoC, but like this has to be enabled by accident, right?
    This is some kind of backdoor thing?
    What's the selling point, revenue stream, or perceived value to the customer? You already have all you can get from Bluetooth, so why spend money on dev time to add in menus and get the wifi working?
    Reply
  • voodoochicken
    Watch out for those IoT Swiss Army Knives
    Reply
  • evdjj3j
    Smart toothbrushes for dumb people.
    Reply