Earlier this week, a shocking story about a distributed denial of service (DDoS) attack perpetrated through a botnet of 3 million malware-infected electric toothbrushes took the media by storm.
Originating from a Swiss newspaper, the article (originally written in German) claimed that hackers had turned ordinary dental hygiene devices into cyberweapons, commandeering them to take down the website of an unnamed company from that country. Naturally, the story took the world by storm as onlookers started to worry that their various Internet of Things devices could already be an attack vector.
The source for this disturbing horror story was reportedly the IT security firm Fortinet – its Swiss division to be exact – which lent credibility to the tale. However, as the story propagated through international tech publications, cybersecurity experts began questioning the technical plausibility and vague sourcing.
Fortinet soon clarified that it was merely a “hypothetical example.” Here’s how the story unraveled to the point of becoming a viral tale that probably prompted a few to give up using their electric toothbrushes for a couple of days at least.
Botnets Hijack Internet-Connected Devices into DDoS Armies
For context regarding this bizarre internet tale, it’s important to understand botnets and dedicated denial of service (DDoS) attacks. A botnet refers to a network of internet-connected devices infected with malware to carry out automated tasks. The software uses the combined computing power of the devices to carry out its misdeeds.
The scale can range from a few computers to hundreds of thousands of devices. In DDoS campaigns, the controller sends simultaneous requests to overwhelm and crash a server. High volumes of traffic flood the target until it cannot respond to legitimate access requests, often crashing entire systems.
The collapse of the target system tends to generate sizable losses for the victim due to the resulting downtime along with reputational damages. It can also be accompanied by threats from the bad actors behind the attack, who may have been hired from competing websites or companies to perform the assault. Some attackers even ask for a ransom payment to stop the attacks.
DDoS attacks can be performed for multiple other reasons including distracting the target from another breach, communicating the hacker’s disagreement with a specific organization and its actions, goals, businesses, etc., or it can be an act of revenge or sheer spite.
In the story of the toothbrush attack, 3 million devices flooded a website in Switzerland, shutting it down for 4 hours and causing financial damages, according to the initial report. However, the mechanics of repurposing toiletries into such an army raised eyebrows immediately within the cybersecurity community.
Doubt Cast on Feasibility of Weaponizing Toothbrushes
“Supply chain compromise/backdoor in the toothbrush app would be like… the only way this story is even remotely true,” one security expert wrote about the tale. He added: “because the phones have Internet and the toothbrushes don’t.”
Unlike computers and smartphones, internet connectivity is not native to most electric toothbrushes. Instead, dental devices with any kind of wireless connectivity typically use Bluetooth to pair with applications that have been installed on the owner’s phone. While Bluetooth security itself carries vulnerabilities, the indirect linkage makes it difficult, if not impossible, to scale up a hack to that level.
Critiquing the credibility of the story even further, infosec expert Robert Graham asked in a furious Tweet:
“What the f*** is wrong with you people???? There are no details, like who is the target of the DDoS? What was the brand of toothbrushes? How are they connected to the Internet (hint: they aren’t, they are Bluetooth)?”
With industry veterans like Kevin Beaumont also calling the story false, pressure mounted on Fortinet to clarify the source.
Security Firm Fortinet Clarifies the Hypothetical Nature of the Story
In response to rising skepticism, Fortinet distanced itself by denying factual basis and attributing the scenario as a purely theoretical exercise.
“To clarify, the topic of toothbrushes being used for DDoS attacks was presented during an interview as an illustration of a given type of attack, and it is not based on research from Fortinet or FortiGuard Labs. It appears that due to translations, the narrative on this topic has been stretched to the point where hypothetical and actual scenarios are blurred”, a statement from Fortinet reads.
Aargauer Zeitung, the news outlet that initially reported “the story”, immediately pushed back, claiming that the original conversation portrayed the incident as a confirmed event with specific impacts.
Regardless of the initial communications, technology reporters are facing scrutiny for propagating an improbable narrative with what appears to be fairly minimal vetting. The media storm showed how easy it is for a false narrative from one bad source can be legitimized simply by having multiple top outlets covering it. In updated coverage, many publications backpedaled by softening the language but maintaining the “warning” about connected device threats.
Dirk Schrader, VP of security research at Netwrix, said that “this kind of report does not help to secure smart devices.” He further explained, “While the theory is valid, and DDoS attacks abusing IoT devices have happened, it doesn’t give practical advice for consumers.”
This Isn’t New
This was also far from the only time that this kind of cybersecurity story has taken over tech news sites. Recently, the FBI released a warning about “juice jacking,” warning everyone to avoid public USB ports like those in airports. Reporters jumped on the story, making it seem like this was a widespread problem and that it was essential to avoid public chargers.
Theoretically, an attacker could maliciously access a device this way given enough time (and an old enough phone), but the chances that this has ever actually happened to modern phones in the real world are close to 0. Today’s phones are protected by immense security measures that make these attack vectors a nonissue.
The bizarre idea that a hacker would want to go through all of this trouble just to access a little bit of data from a random person’s phone in an airport makes the hysteria over juice jacking make even less sense. Like the toothbrush story, cybersecurity professionals eventually jumped in and revealed how unlikely juice jacking is and that no one should be worrying about it (unless you’re a government agent or something).
This Cautionary Tale Highlights the Need for Responsible Disclosures in Journalism
The international dustup offers a timely lesson regarding the provision of responsible disclosures for companies and media. As Internet of Things (IoT) gadgets increasingly introduce cyber risks to households, ethical reporting means:
- Clearly distinguishing hypotheticals from confirmed cases.
- Great care when translating sources in different languages.
- Prioritizing consumer education over shock value and click-bait types of stories.
- Avoiding vague cyber doomsday proclamations.
- Transparently correcting the record after clear misinterpretations are confirmed.
These considerations apply equally to vendors addressing security exposure in smart home tech. Even if they manage to demonstrate that risks exist through disturbing fantasy scenarios, ethical standards demand that instances where significant speculations and assumptions are made should be categorized as such and concretely differentiated from evidence-based research.
Otherwise, the next “dental disaster” might involve 3 million tubes of malware-infected, AI-powered toothpaste that were distributed to households in a certain country… Based on recent events, such a story may very well spark another cycle of viral misinformation.