Round 3 of the toothbrush DDoS debacle!

The story so far.

Round 1

The newspaper Aargauer Zeitung published an article claiming that three million IoT-connected toothbrushes had launched a distributed denial-of-service attack against a Swiss company, causing its website to be knocked over for four hours.

Hundreds of other news outlets retold the story, assuming it was true. But, it wasn’t true.

Where had Aargauer Zeitung got the story from? Well, they quoted a security researcher at Fortinet.

Round 2

After members of the cybersecurity industry (including yours truly) mocked or downright debunked the story as “total bollocks”, Fortinet stirred into action and issued a statement blaming a translation issue.

Round 3

So where are we now?

Well, ding ding! It’s Round 3, and Aargauer Zeitung has come out of its corner fighting.

In a new statement on its website, the newspaper claims that Fortinet had present the toothbrush DDoS attack as real (rather than hypothetical) and what is more the firm had shared specific details of what had occurred.

Here’s what the newspaper has said (computer-translated for us who don’t understand German):

What is now described by the Fortinet headquarters in California as a “translation problem” has listened to the research in a completely different way: Swiss Fortinet representatives have described the toothbrush case as a real DDoS attack at an appointment, which dealt with current threat situations.

Fortinet provided specific details: information on how long the attack paralysed the website of a Swiss company; a magnitude of how high the damage caused was. Out of consideration for their customer, Fortinet did not want to reveal which company it was.

The text was presented to Fortinet for verification before publication. The sentence that it was a real case that really happened was not obsessed.

The global management of Fortinet has now rowed back with its statement, which was sent to various international media. The company has failed to send it to CH Media. We have not yet received another statement from Fortinet.

Ouch.

Will Fortinet return for Round 4, or is that a knockout punch?

Found this article interesting? Follow Graham Cluley on Twitter, Mastodon, or Threads to read more of the exclusive content we post.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts