Update 2 — 2/9/2024 6:30am PT: The security company at the nexus of the original report that three million toothbrushes were used in a DDOS attack has now retracted the story and claimed it was a result of a mistranslation — but according to the news outlet that published the initial report, that statement isn't true. The reports of this story are not based on a mistranslation by the media. The publication claims Fortinet presented the story as having actually happened and approved the text of the article, which had been submitted to Fortinet prior to publication.
Here's the Aargauer Zeitung's (the source of the story) statement on the matter (via Google Translate):
What the Fortinet headquarters in California is now calling a “translation problem” sounded completely different during the research: Swiss Fortinet representatives described the toothbrush case as a real DDoS at a meeting that discussed current threats -Attack described.
Fortinet provided specific details: information about how long the attack took down a Swiss company's website; an order of magnitude of how great the damage was. Fortinet did not want to reveal which company it was out of consideration for its customers.
The text was submitted to Fortinet for verification before publication. The statement that this was a real case that really happened was not objected to.
Fortinet's global management has now backtracked on its statement, which was sent to various international media outlets. The company also failed to send this to CH Media. We have not yet received any further statements from Fortinet."
EDIT 2/7/2024 — 3:30pm PT: Fortinet sent us a statement indicating that the report of the toothbrush attack is inaccurate:
"To clarify, the topic of toothbrushes being used for DDoS attacks was presented during an interview as an illustration of a given type of attack, and it is not based on research from Fortinet or FortiGuard Labs. It appears that due to translations the narrative on this topic has been stretched to the point where hypothetical and actual scenarios are blurred." - Fortinet.
The original text of the source report read:
“She's in the bathroom at home, but she's part of a large-scale cyber attack. The electric toothbrush is programmed with Java, and criminals have unnoticed installed malware on it - like on 3 million other toothbrushes. One command is enough and the remote-controlled toothbrushes simultaneously access the website of a Swiss company. The site collapses and is paralyzed for four hours. Millions of dollars in damage is caused.
This example, which seems like a Hollywood scenario, actually happened. It shows how versatile digital attacks have become.” [Emphasis Added]
A German-language outlet reported on the story as having "actually happened," indicating the translation is accurate, and multiple German speakers have confirmed that the passage saying the attack "actually happened" is an accurate translation. It remains to be seen if Aargauer Zeitung (the original source) will issue a correction.
Original article:
According to a recent report published by the Aargauer Zeitung (h/t Golem.de), around three million smart toothbrushes have been infected by hackers and enslaved into botnets. The source report says this sizable army of connected dental cleansing tools was used in a DDoS attack on a Swiss company’s website. The firm’s site collapsed under the strain of the attack, reportedly resulting in the loss of millions of Euros of business.
In this particular case, the toothbrush botnet was thought to have been vulnerable due to its Java-based OS. No particular toothbrush brand was mentioned in the source report. Normally, the toothbrushes would have used their connectivity for tracking and improving user oral hygiene habits, but after a malware infection, these toothbrushes were press-ganged into a botnet.
Stefan Züger from the Swiss branch of the global cybersecurity firm Fortinet provided the publication with a few tips on what people could do to protect their own toothbrushes – or other connected gadgetry like routers, set-top boxes, surveillance cameras, doorbells, baby monitors, washing machines, and so on.
“Every device that is connected to the Internet is a potential target – or can be misused for an attack,” Züger told the Swiss newspaper. The security expert also explained that every connected device was being continually probed for vulnerabilities by hackers, so there is a real arms race between device software/firmware makers and cyber criminals. Fortinet recently connected an ‘unprotected’ PC to the internet and found it took only 20 minutes before it became malware-ridden.
We don’t have the finer-grained details of the specific Swiss company targeted and suffered from the extremely costly DDoS attack. However, it is common for malicious actors to issue threats with monetary demands attached before weaponizing their DDoS zombie army. Perhaps the Swiss firm refused to pay up, or perhaps the malicious actors instigated this attack to show their muscle (teeth?) ahead of making any demands.
Though we don’t have the finer details of the DDoS story, it serves as yet another warning for device owners to do their best to keep their devices, firmware, and software updated; monitor their networks for suspicious activity; install and use security software; and follow network security best practices.
We've reached out to Fortinet for comment and will update this story as necessary.
Note: This article title originally read "Three million malware-infected smart toothbrushes used in Swiss DDoS attacks — botnet causes millions of euros in damages," but we altered that to represent the new developments.
