Viral news story of botnet with 3 million toothbrushes was too good to be true

Posted by

An electric toothbrush

Getty Images | Science Photo Library

In recent days you may have heard about the terrifying botnet consisting of 3 million electric toothbrushes that were infected with malware. While you absent-mindedly attended to your oral hygiene, little did you know that your toothbrush and millions of others were being controlled remotely by nefarious criminals.

Alas, fiction is sometimes stranger than truth. There weren’t really 3 million Internet-connected toothbrushes accessing the website of a Swiss company in a DDoS attack that did millions of dollars of damage. The toothbrush botnet was just a hypothetical example that some journalists wrongly interpreted as having actually happened.

It apparently started with a January 30 story by the Swiss German-language daily newspaper Aargauer Zeitung. Tom’s Hardware helped spread the tale in English on Tuesday this week in an article titled, “Three million malware-infected smart toothbrushes used in Swiss DDoS attacks.”

Tom’s Hardware wrote:

According to a recent report published by the Aargauer Zeitung, around three million smart toothbrushes have been infected by hackers and enslaved into botnets. The source report says this sizable army of connected dental cleansing tools was used in a DDoS attack on a Swiss company’s website. The firm’s site collapsed under the strain of the attack, reportedly resulting in the loss of millions of Euros of business.

In this particular case, the toothbrush botnet was thought to have been vulnerable due to its Java-based OS. No particular toothbrush brand was mentioned in the source report. Normally, the toothbrushes would have used their connectivity for tracking and improving user oral hygiene habits, but after a malware infection, these toothbrushes were press-ganged into a botnet.

Does that even make sense?

Security experts poked holes in the story, saying that the botnet description appeared to be a hypothetical and didn’t really make sense anyway. Security researcher Matthew Remacle called it nonsense on Tuesday, pointing out that smart toothbrushes just pair with phones via Bluetooth instead of connecting to the Internet directly.

“Supply chain compromise/backdoor in the toothbrush app would be like… the only way this story is even remotely true, because the phones have Internet and the toothbrushes don’t. But then it’s not a toothbrush botnet, it’s a run-of-the-mill phone botnet,” he wrote.

Security expert Robert Graham said there is “no evidence 3 million toothbrushes performed a DDoS,” and that the hypothetical offered by a security company was “misinterpreted by a journalist.”

“What the f*** is wrong with you people???? There are no details, like who is the target of the DDoS? what was the brand of toothbrushes? how are they connected to the Internet (hint: they aren’t, they are Bluetooth)?” Graham wrote.

Security firm: Fiction and reality were “blurred”

The hypothetical originally came from security company Fortinet. A 404 Media article yesterday that debunked the viral story quoted Fortinet as confirming that the botnet wasn’t real. “FortiGuard Labs has not observed Mirai or other IoT botnets target toothbrushes or similar embedded devices,” Fortinet said.

Tom’s Hardware has since updated its story, quoting Fortinet as explaining:

To clarify, the topic of toothbrushes being used for DDoS attacks was presented during an interview as an illustration of a given type of attack, and it is not based on research from Fortinet or FortiGuard Labs. It appears that due to translations the narrative on this topic has been stretched to the point where hypothetical and actual scenarios are blurred.

The Tom’s Hardware update quotes the German-language story on the toothbrush botnet as saying the incident “actually happened.” Running the German text through Google Translate produces the following: “This example, which seems like a Hollywood scenario, really happened.”

The German-language newspaper published a follow-up article today that quotes the Fortinet statement saying the toothbrush botnet wasn’t real.

Given the doubts about whether the scenario even makes sense as a hypothetical, we reached out to Fortinet to ask for details on how a toothbrush botnet could work if hackers were determined to make it happen. We’ll update this article if we get an answer.

“What’s next, malware-infected dental floss?”

In addition to Tom’s Hardware, ZDNet spread the fiction in English with a story titled, “3 million smart toothbrushes were just used in a DDoS attack. Really.”

“What’s next, malware-infected dental floss?” ZDNet asked. ZDNet acknowledged that it didn’t really happen in an updated version of the article that insists the attack “could happen.”

The Independent, a British online news site, backtracked in a similar way. Its original story was titled, “Millions of hacked toothbrushes used in Swiss cyber attack, report says.” The Independent’s new version is titled, “Millions of hacked toothbrushes could be used in cyber attack, researchers warn.”

Graham yesterday praised Fortinet for “doing the right thing” by clearly stating to media outlets that the botnet story was false. Though he faulted journalists for the misinterpretation, Graham also previously criticized Fortinet for making “vague, unsubstantiated claims” about “something that could happen.”

“The entire story is crap,” he wrote.