The Viral Smart Toothbrush Botnet Story Is Not Real (404media.co) 52
On Tuesday, The Independent, Tom's Hardware, and many other tech outlets reported on a story about how three million smart toothbrushes were used in a DDoS attack. The only problem? It "didn't actually happen," writes Jason Koebler via 404 Media. "There are no additional details about this apparent attack, and most of the article cites general research by a publicly traded cybersecurity company called Fortinet which has detected malicious, hijacked internet of things devices over the years. A search on Fortinet's website shows no recent published research about hacked smart toothbrushes." From the report: The original article, called "The toothbrushes are attacking," starts with the following passage: "She's at home in the bathroom, but she's part of a large-scale cyber attack. The electric toothbrush is programmed with Java, and criminals have unnoticed installed malware on it - like on 3 million other toothbrushes. One command is enough and the remote-controlled toothbrushes simultaneously access the website of a Swiss company. The site collapses and is paralyzed for four hours. Millions of dollars in damage is caused. This example, which seems like a Hollywood scenario, actually happened. It shows how versatile digital attacks have become." [...]
The "3 million hacked smart toothbrushes" story has now been viral for more than 24 hours and literally no new information about it has emerged despite widespread skepticism from people in the security industry and its virality. The two Fortinet executives cited in the original report did not respond to an email and LinkedIn message seeking clarification, and neither did Fortinet's PR team. The author of the Aargauer Zeitung story also did not respond to a request for more information. I called Fortinet's headquarters, asked to speak to the PR contact listed on the press release about its earnings, which was published after the toothbrush news began to go viral, and was promptly disconnected. The company has continued to tweet about other, unrelated things. They have not responded to BleepingComputer either, nor the many security researchers who are asking for further proof that this actually happened. While we don't know how this happened, Fortinet has been talking specifically about the dangers of internet-connected toothbrushes for years, and has been using it as an example in researcher talks. In a statement to 404 Media, Fortinet said "To clarify, the topic of toothbrushes being used for DDoS attacks was presented during an interview as an illustration of a given type of attack, and it is not based on research from Fortinet or FortiGuard Labs. It appears that due to translations the narrative on this topic has been stretched to the point where hypothetical and actual scenarios are blurred."
The "3 million hacked smart toothbrushes" story has now been viral for more than 24 hours and literally no new information about it has emerged despite widespread skepticism from people in the security industry and its virality. The two Fortinet executives cited in the original report did not respond to an email and LinkedIn message seeking clarification, and neither did Fortinet's PR team. The author of the Aargauer Zeitung story also did not respond to a request for more information. I called Fortinet's headquarters, asked to speak to the PR contact listed on the press release about its earnings, which was published after the toothbrush news began to go viral, and was promptly disconnected. The company has continued to tweet about other, unrelated things. They have not responded to BleepingComputer either, nor the many security researchers who are asking for further proof that this actually happened. While we don't know how this happened, Fortinet has been talking specifically about the dangers of internet-connected toothbrushes for years, and has been using it as an example in researcher talks. In a statement to 404 Media, Fortinet said "To clarify, the topic of toothbrushes being used for DDoS attacks was presented during an interview as an illustration of a given type of attack, and it is not based on research from Fortinet or FortiGuard Labs. It appears that due to translations the narrative on this topic has been stretched to the point where hypothetical and actual scenarios are blurred."
They came clean (Score:5, Funny)
Re: (Score:2)
Puns aside, there's no budget for fact checking anymore. Zuckerberg killed it.
Re: (Score:2)
Re: (Score:2)
You said a mouthful!
That story was hard to swallow.
The real question (Score:3)
Why the hell is a toothbrush connected to the net? There is no logical or justifiable reason to do so.
Re: (Score:2)
I guess they do some smart mapping of your mouth while you brush or something. Could also set up some automations to go with brushing like a reminder if you haven't done it (or a kid hasn't done it) or trigger a bedroom light or something at night when you're done brushing.
Granted, most of the things I can come up with only require a local connection to your toothbrush, but that's also how most connect. Most I've seen connect via bluetooth (I can even see my neighbors smart toothbrush via bluetooth!) with
Re: (Score:2)
I guess they do some smart mapping of your mouth while you brush or something. Could also set up some automations to go with brushing like a reminder if you haven't done it (or a kid hasn't done it) or trigger a bedroom light or something at night when you're done brushing.
Granted, most of the things I can come up with only require a local connection to your toothbrush, but that's also how most connect. Most I've seen connect via bluetooth (I can even see my neighbors smart toothbrush via bluetooth!) with only a couple using WiFi
Most of this shit I've seen is to prevent parents from having to get off the couch to check if the kids are actually brushing their teeth. "App says they brushed for this many minutes. Cool." I have yet to see anything on smart toothbrushes that does anything more than time usage and maybe pressure while being used. What use that is to anybody outside of the parents not wanting to stand there watching their kids brush? I have zero clue. Unless we've gamified so much of our lives that there's some forum some
Re: (Score:2)
Re: (Score:2)
I don't think they are. I've seen Bluetooth ones that come with an app to provide timing and pressure advice, but never WiFi.
Same with bathroom scales and the like.
Re: (Score:2)
Things today connect to a mobile phone and you set the settings, it's cheaper than screen and buttons and it is sort of expected for the high end of any electronics. Some items can be connected to a local net only, most people don't know or care and leave them on the open net to connect to them. Just speculating, they could include in the app: battery level, intensity and duration settings, usage statistics, health advice, toothpaste advertisements, advertisement about their other personal care products, re
Re: (Score:2)
Why the hell is a toothbrush connected to the net? There is no logical or justifiable reason to do so.
In theory they can remind you if you are brushing too infrequently or for too short a duration.
:-)
We won't really have significant utility until they add a camera that allows it to do a AI based dental exam and send imagery to your dentist.
Re: (Score:3)
It is entirely logical: The vendor wants your data and wants to show you ads. Oh you mean for the user? Who cares about their users these days? People are just sheep to be exploited.
Re: (Score:2)
Logic? This is Earth. Its product-purchasing population consists mostly of humans.
Actually it was army of vibrators performing DoS.. (Score:4, Funny)
The true story was that it was army of vibrators that performed DoS
After they have been upgraded with AI they started to behave like husbands..
Re:Actually it was army of vibrators performing Do (Score:5, Funny)
The true story was that it was army of vibrators that performed DoS
That would be a Distributed Lubricious Denial of Service, or DiLDoS.
Bluetooth (Score:2)
Re: Bluetooth (Score:2)
Re: (Score:3)
Re: (Score:2)
That's the big problem. There are only a few models that even have direct internet connectivity and I can't imagine there are enough of them to create a meaningful botnet
Just a hunch... (Score:3)
It's just a hunch, but I'd guess that at some point during the writing of the story a generative AI was involved....
Re: (Score:2)
It's just a hunch, but I'd guess that at some point during the writing of the story a generative AI was involved....
Well Google translate did a translation of the original German. Supposedly the translation included a quote indicating the story is true.
The Story Was Too Stupid To Believe Anyway. (Score:1)
I don't think we needed another article telling us it was bullshit. It was painfully obvious.
Re:The Story Was Too Stupid To Believe Anyway. (Score:4, Informative)
Up there with the equally bogus story of the washing machine upload (or downloading) 3 GB of data a day. Something about all the space that needs to be filled.
But like many false tech stories this will live on.
According to one uncited study, abut 41% of Americans use "electric" toothbrushes, but this study (https://www.ncbi.nlm.nih.gov/pmc/articles/PMC7133541/) strongly supports the hypothesis that electric toothbrushes do a better job at reducing plaque and gingivitis mthan manual toothbrushing in the short and long term..
Re: (Score:1)
I file this under fear mongering. Anything that can add on to an already paranoid world has to be good.
Re: (Score:2)
Up there with the equally bogus story of the washing machine upload (or downloading) 3 GB of data a day.
Was that story debunked? Washing machines do have connectivity and it's certainly possible for badly written software to go wrong.
Re: (Score:1)
IIRC there was a bug in the router's software that was incorrectly measuring the data usage of the device
Re: (Score:2)
Re: (Score:2)
Up there with the equally bogus story of the washing machine upload (or downloading) 3 GB of data a day. Something about all the space that needs to be filled.
That story wasn't bogus, it just had a cause attributed attributed incorrectly. These are two very different things. This story here is about something that never happened and never was said. That washing machine was really at someone's house and that person really did see 3GB of data a day.
Being wrong and being a fantasy are two different things. This case falls under the latter.
Re: (Score:2)
I'm waiting for the toasters to take over.
Re: (Score:1)
Not at all. There are reference cases for something like this using insecure IoT crap devices.
Re: (Score:1)
'Like This." Not this. I won't even bring up the fact that if your fucking toothbrush is launching DDOS attacks etc. you have been eating too many mushrooms. Check your sig and apply here.
Re: (Score:1)
Well, you sure are ignorant about the more recent history of IT security. That does not make that history go away, it just makes you clueless.
Re: (Score:1)
I am very aware of IoT threats. This isn't one of them. Sorry. Now run along before you want to talk about something that actually makes sense. I don't see any links you have posted invalidating my statement.
seems unlikely that smart toothbrushes have cpu / (Score:2)
seems unlikely that smart toothbrushes have cpu / battery power to do one.
Unless they are docked in the changer then maybe something.
More realistic to mine crypto (Score:2)
seems unlikely that smart toothbrushes have cpu / battery power to do one. Unless they are docked in the changer then maybe something.
Would have been more plausible to say they were mining crypto while docked.
Thanks for the correction (Score:2)
Thanks for the correction.
Far too much fake news gets uncorrected.
BS, but still useful (Score:1)
So what you're saying is. .. (Score:1)
Re:2025 will be yr of smart toothbrush botnet (Score:1)
Some wise-guy/gal hacker will probably do it for real now that the idea went viral.
IOT-brushes do exist. [blutoothbrush.com] Quote: "Brushing and flossing results shared with your dentist and dental hygienist"
Make It Real (Score:2)
Someone will make it true very very soon. I can't wait!
Re: (Score:2)
This story is too good for it to be bogus.
Someone will make it true very very soon. I can't wait!
Yes and no. The coming hack will probably mine crypto while docked in the charger.
Well, it was credible (Score:2)
We have seen attacks that are close enough, among them DDoS from small and very small IoT devices. I distinctively remember one "record" DDoS that was small IoT devices that did not even really have storage and only got infected non-persistently in RAM.
The issue is that there is no profit in doing things competently in the IoT space. Even only getting a competent security evaluation (not fixes) runs you something like $20'000. Getting a security aware dev (like I educate on Bachelor's level) is difficult, b
GO Journalism! (Score:3)
This is why you don't report social media as 'news'. It is also why an AI should not be allowed to report 'news' either.
Do not Read sites (Score:2)
Went from "could happen" to "happened"... (Score:2)