It has been reported that three million electric toothbrushes have been hacked and abused for a highly disruptive distributed denial-of-service (DDoS) attack, but cybersecurity experts have rushed to question the claims.
The Swiss German-language daily newspaper Aargauer Zeitung published an article describing the alleged attack on January 30.
According to a machine translation of the article, cybercriminals installed malware on three million electric toothbrushes and used the compromised devices to simultaneously access the website of a Swiss company, which caused the site to go offline for four hours and caused millions of dollars in damages for the victim.
“This example, which seems like a Hollywood scenario, actually happened,” the article reads, suggesting that the information comes from a representative of cybersecurity vendor Fortinet.
Several mainstream and even some more technical and cybersecurity-focused publications picked up the story without questioning the claims. Several members of the cybersecurity community, however, immediately expressed doubts concerning the veracity of the story.
“The three million toothbrush botnet story isn’t true,” Kevin Beaumont, a reputable cybersecurity researcher wrote on Mastodon, later describing it as “total bollocks”.
Another reputable cybersecurity expert, Robert Graham, also commented on the story, pointing out that the information from Fortinet was likely misinterpreted.
Graham and others highlighted that smart electric toothbrushes are connected to smartphones and tablets via Bluetooth, not via the internet, which makes it impossible for them to directly launch DDoS or any other type of attack over the web.
Cybersecurity firm Malwarebytes published a blog post titled “How to tell if your toothbrush is being used in a DDoS attack”. The blog post’s body reads, “It’s not”.
Indeed, Fortinet clarified for SecurityWeek that “the topic of toothbrushes being used for DDoS attacks was presented during an interview as an illustration of a given type of attack, and it is not based on research from Fortinet or FortiGuard Labs.”
“It appears that due to translations the narrative on this topic has been stretched to the point where hypothetical and actual scenarios are blurred,” the company explained.
Fortinet has been tracking IoT botnets such as Mirai, which are responsible for significant DDoS attacks, but clarified that none of these botnets has been observed targeting toothbrushes or similar embedded devices.