Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security

3 Million Malware-Infected Smart Toothbrushes Used In Swiss DDoS Attacks [UPDATE] (tomshardware.com) 56

An anonymous reader quotes a report from Tom's Hardware: According to a recent report published by the Aargauer Zeitung (h/t Golem.de), around three million smart toothbrushes have been infected by hackers and enslaved into botnets. The source report says this sizable army of connected dental cleansing tools was used in a DDoS attack on a Swiss company's website. The firm's site collapsed under the strain of the attack, reportedly resulting in the loss of millions of Euros of business. In this particular case, the toothbrush botnet was thought to have been vulnerable due to its Java-based OS. No particular toothbrush brand was mentioned in the source report. Normally, the toothbrushes would have used their connectivity for tracking and improving user oral hygiene habits, but after a malware infection, these toothbrushes were press-ganged into a botnet.

Stefan Zuger from the Swiss branch of the global cybersecurity firm Fortinet provided the publication with a few tips on what people could do to protect their own toothbrushes -- or other connected gadgetry like routers, set-top boxes, surveillance cameras, doorbells, baby monitors, washing machines, and so on. "Every device that is connected to the Internet is a potential target -- or can be misused for an attack," Zuger told the Swiss newspaper. The security expert also explained that every connected device was being continually probed for vulnerabilities by hackers, so there is a real arms race between device software/firmware makers and cyber criminals. Fortinet recently connected an 'unprotected' PC to the internet and found it took only 20 minutes before it became malware-ridden.
UPDATE 1/7/24: This attack "didn't actually happen," writes Jason Koebler via 404 Media. "There are no additional details about this apparent attack, and most of the article cites general research by a publicly traded cybersecurity company called Fortinet which has detected malicious, hijacked internet of things devices over the years. A search on Fortinet's website shows no recent published research about hacked smart toothbrushes."

The cybersecurity firm Fortinet said in a statement: "To clarify, the topic of toothbrushes being used for DDoS attacks was presented during an interview as an illustration of a given type of attack, and it is not based on research from Fortinet or FortiGuard Labs. It appears that due to translations the narrative on this topic has been stretched to the point where hypothetical and actual scenarios are blurred. FortiGuard Labs has not observed Mirai or other IoT botnets target toothbrushes or similar embedded devices."
This discussion has been archived. No new comments can be posted.

3 Million Malware-Infected Smart Toothbrushes Used In Swiss DDoS Attacks [UPDATE]

Comments Filter:
  • Yay fake news (Score:5, Informative)

    by Jeslijar ( 1412729 ) on Tuesday February 06, 2024 @07:06PM (#64220742) Homepage
  • Not this time.

  • At some point, I think the victim should be allowed to sue the manufacturers of such devices.

    It's the only way it's going to stop this problem from spiraling out of control.

    • Ooops. My bad. The story isn't true.

    • Comment removed based on user account deletion
    • by RedK ( 112790 )

      Fake story aside, people should stop buying Internet connected things.

      Like nothing but your phone and PC need to be connected to the Internet. No lights, no heating, no nothing. Use old school thermostats and switches. You can open the fridge door to see if you need mayo and write it on a pad magnetically attached to the fridge door if you do.

  • by kellin ( 28417 ) on Tuesday February 06, 2024 @07:22PM (#64220772)

    In Soviet Russia toothb... oh wait, nevermind.

  • Why. (Score:4, Insightful)

    by Jarik C-Bol ( 894741 ) on Tuesday February 06, 2024 @07:24PM (#64220776)
    Why, I ask; does *anyone* want an INTERNET CONNECTED TOOTHBRUSH. This reminds me of the line I read several years ago,
    “I needed to charge my phone, but my friend was using the only outlet to charge his book and cigarette. The future is stupid.”
    I know this stupid ‘smart’ toothbrush will be sold on the merits of ‘track your brushing habits, ensure you brush long enough, automatically re-order brush heads, compete with your friends on social media for most hours spent brushing’ and other, pointless ‘features’. This is all stupid.
    • Comment removed based on user account deletion
    • Why, I ask; does *anyone* want an INTERNET CONNECTED TOOTHBRUSH.

      It mines cryptocurrency while on the charger.

      On a more serious note, the next hack will probably have the 3M toothbrushes mining crypto for the hacker.

      • I was wondering where I could buy internet connected knives and forks. By knowing what we eat, could organize menus...

        Hey, I think I will try to get funding with such a good idea.

        • by drnb ( 2434720 )

          I was wondering where I could buy internet connected knives and forks. By knowing what we eat, could organize menus...

          Hey, I think I will try to get funding with such a good idea.

          v1.0 will probably have to limit its goal to portion control. How much the forks and knives are in motion.

          v2.0 is where you can add the cameras to identify the food being eaten.

          Don't try to do to much in v1.0, your less likely to get investors. Good luck.

    • Why, I ask; does *anyone* want an INTERNET CONNECTED TOOTHBRUSH.

      Remember how we used to joke here about people trying to network their toasters? Yep, we're there.

  • Ya, but ... (Score:5, Funny)

    by fahrbot-bot ( 874524 ) on Tuesday February 06, 2024 @07:27PM (#64220778)

    ... the toothbrush botnet was thought to have been vulnerable due to its Java-based OS.

    Despite the apparent use of FLOSS, this can't simply be brushed off and the perpetrators won't receive a plaque for their achievement.

    • Anyone working on a pull request?

      • by ls671 ( 1122017 )

        Why the heck is it called a "pull request" by gihub users? You can "pull" all you want but it won't change anything if the code isn't merged. That's why it is called a "merge request", I always use the term "merge request".

        • by hawk ( 1151 )

          > Why the heck is it called a "pull request" by gihub users?

          *that* uncle and his finger, of course!

  • Am I the only one that loves that this happened?

  • by magnetar513 ( 1384317 ) on Tuesday February 06, 2024 @07:27PM (#64220786)
    this was a result of using BlueTooth technology? Remember to tip your waitress.
  • by SvnLyrBrto ( 62138 ) on Tuesday February 06, 2024 @07:36PM (#64220800)

    Okay... unlike, it seems, a lot of slashdot these days; I remain wholeheartedly optimistic, impressed, and enthusiastic about technological progress; and by no means want it to stop. But smart toothbrushes? Why are these even a thing???

    I mean... I use a Sonicare myself. And it does the thing where it beeps to remind me to switch from front to back then top to bottom and shuts off when done. But that's just a timer. Just how in the name of almighty Cthulhu's butthole would WiFi and an internet connection ever benefit my teeth cleanings? Do they have sensors to monitor and make sure everything is properly cleaned? 'Cuz that's the only possible use I can think of for an online toothbrush. And I've been brushing my teeth my entire life. I don't think I need any online guidance or to post to HealthKit when I do.

    • Parenting made easy.

      1. Give kids 'smart' toothbrush.
      2. Give kids 'smart' electric shock bracelet.
      3. IFTTT toothbrush not used by 8am, bracelet turns on.

      • That isn't parenting, it is jail keeping. I was going to say keeping a pet, but maybe that is too far since I have yet to see a pet collar that zaps a child if they go past the property line.
    • by Tom ( 822 )

      I was in the market for a new one recently, and today I pat myself a bit on the shoulder for not picking the next-up model which would've had "smart" features. So yes, exactly what you say: The "smart" features is essentially a "nanny-me" package. It would report when and for how long you cleaned your teeth and if you did it properly. You know, if you like to make a spreadsheet out of your morning routine. I see about... 23 customers world-wide for whom that would be a god-given amazing feature that they re

  • They lost me when they talked about the toothbrush running java.

    • That's the moment that got me! The whole thing went from preposterous to magical.

      I wonder about two meetings. The first, committing to the idea of an online toothbrush (WTF). The second, the decision to use Java to power the idea (WTF^2).

      And then the events. First, people bought the thing, millions of people (WTF). The second, someone thought to target the toothbrushes (not surprising really).

      It's a fantastic story about an idea where crazy people (everyone involved) realize their whims creating and ex

      • Hah, good for those java toothbrush weenies. Those of us in the know use PHP platformed toothbrushes! I'm a power user with wordpress and drupal in mine.

      • That's the moment that got me! The whole thing went from preposterous to magical.

        I wonder about two meetings. The first, committing to the idea of an online toothbrush (WTF). The second, the decision to use Java to power the idea (WTF^2).

        And then the events. First, people bought the thing, millions of people (WTF). The second, someone thought to target the toothbrushes (not surprising really).

        It's a fantastic story about an idea where crazy people (everyone involved) realize their whims creating and exercising a most unlikely attack vector.

        They had a meeting regarding v2, it'll have a camera for cavity detection.

      • by sosume ( 680416 )

        "Millions in lost revenue due to a DDoS on the company website" sounds like bullshit as well

    • by drnb ( 2434720 )

      They lost me when they talked about the toothbrush running java.

      Yeah, python would have seemed much more believable.

      Seriously, python is an option on microcontrollers. Micro python, circuit python.

      • Took me forever to get the GC tuning dialed on my toothbrush, it kept crashing when I'd switch bottom to top. Now the pauses are hardly noticeable.

  • Confound those rotten hackers! No one can enjoy the simple pleasures of online gadgets safely anymore. I'm going to go and do something about all of this crackery, right after I clean my teeth.

      Mmmmfmghmffff splthhhhhhh Mffggghhhhhhhhhch

  • Dumbass companies that create internet connected crap should be kicked to the curb, and if cyber-criminals do it so much the better. I'm happy they suffered monetary damages for making spyware toothbrushes. The internet connection had nothing to do with "helping" their customers, it was all about monetizing them and selling the information they gathered. Now that the proof-of-concept attack has worked I sincerely look forward to a lot of sleazy corporate scumsuckers getting the same treatment. It's all they
  • 'Heh heh heh- my secret plan to enslave the world using toothbrushes is working! Next my Internet-connected toilet plungers will infiltrate the Pentagon and bring the military to its knees! I will be flushed with happiness! Finally, my cooling fans from hell will empty server rooms of air and choke the techs and make motherboards burn up! Nyar har har!' ...

    "Mr. Gates? Mr Gates? Wake up. You were moaning in your sleep, sir. Something about "
    "...and sharks with frikking laser beams too!"

  • We need vendor liability for any and all damages in such cases. Unless they prove sound IT security practices and provide security updates for the full lifetime of the device, theis should always automatically be gross negligence and they need to prove differently.

    Without that liability, nothing will get better and the situation will get worse and worse.

  • A hacked toothbrush can make your teeth fall on hacker's whim, so all you IOT-loving guys better update your firewall and AV products immediately.

    • What? By removing the batteries your smart toothbrush simply reverts to a plain toothbrush.

      A hacked toothbrush can still take a smear of toothpaste and the bristles are still capable of brushing one's teeth with no more effort if the internal computer is on or off.

      The smart toothbrush does not rely on its 'smarts' to function as a toothbrush...

  • 30 years ago, I thought I had lost my mind the first time I asked someone to take a picture with their phone. I still remember how weird those words felt in my mouth. And then 10 years ago, I saw a new-in-the-box sewing machine with "Runs Windows!" plastered on the side. I thought then I had truly lost my mind. Were there device drivers for sewing machines baked into windows? Should I search for my windows directory for "bobbin.dll"?

    But today is a new day, when my toothbrush runs windows and my roomba

  • ...would anyone ever connect their toothbrush to he internet?...
  • If we can't secure toothbrushes, how in the world can we think we'll be able to secure/control A. I. Going forward?

    Seriously, the world really needed internet-connected toothbrushes? What dental crisis justified littering the internet with several million weakly protected systems?

Heard that the next Space Shuttle is supposed to carry several Guernsey cows? It's gonna be the herd shot 'round the world.

Working...