The toothbrush DDoS attack: How misinformation spreads in the cybersecurity world

Here are a few headlines from the last 24 hours or so, about a supposed smart toothbrush botnet launching a distributed denial-of-service (DDoS) attack:

And there were many more…

The reports were inspired by a report last week in the Swiss newspaper Aargauer Zeitung.

The German-language article certainly starts dramatically. Here’s a computer-generated translation of its opening paragraphs:

She’s at home in the bathroom, but she’s part of a large-scale cyber attack. The electric toothbrush is programmed with Java, and criminals have unnoticed installed malware on it – like on 3 million other toothbrushes. One command is enough and the remote-controlled toothbrushes simultaneously access the website of a Swiss company. The site collapses and is paralyzed for four hours. Millions of dollars in damage is caused.

This example, which seems like a Hollywood scenario, actually happened. It shows how versatile digital attacks have become. It shows how versatile digital attacks have become. “Each device connected to the Internet is a potential goal – or can be misused for an attack,” says Stefan Züger. He is responsible for the Switzerland offshoot of the cybersecurity specialist Fortinet, based in Dietlikon in Zurich, the system technology division. Whether baby monitor, web camera or the electric toothbrush, do not care.

There’s an issue with Aargauer Zeitung‘s report. It didn’t actually happen.

The story is fiction. Three million smart toothbrushes didn’t launch a DDoS attack against a Swiss company.

If they really had launched the attack, Fortinet’s PR team would surely have been pushing out the news left, right, and centre. But Fortinet’s social media accounts and press release archives are silent.

Fortinet declined to comment to those cybersecurity news outlets or the security researchers that bothered to ask for some details.

None of this has stopped numerous newspapers and websites around the world from repeating the Beware, your electric toothbrush may have been hacked” headline, because…

…well, because it makes such a good story.

An untrue story, of course. But a great story nonetheless.

And yes, the general public should know about the risks of unsecured IoT devices. But journalists and cybersecurity vendors must avoid presenting made-up stories as fact. Otherwise, no one will believe genuine news.

Fortinet could have corrected the story, making it clear that it wasn’t true, but just an example of something that could potentially happen. Instead, it chose to keep its err.. mouth shut instead.

Maybe it enjoyed the attention and media exposure.

It certainly doesn’t seem to harm their share price.

Found this article interesting? Follow Graham Cluley on Twitter, Mastodon, or Threads to read more of the exclusive content we post.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts