The Attack of the Electric Toothbrushes!

Last week, a widely reported story that 3 million smart, electric toothbrushes were hacked with malware to conduct distributed denial of service (DDoS) attacks.

A Swiss news site published a story stating that an employee of cybersecurity firm Fortinet said 3 million electric toothbrushes had been infected with Java malware to conduct DDoS attacks against a Swiss company.

The story reads: “The electric toothbrush is programmed with Java, and criminals have secretly installed malware on it – like on 3 million other toothbrushes,”.

“One command is enough and the remote-controlled toothbrushes simultaneously access the website of a Swiss company. The site collapses and is paralyzed for four hours. Millions of dollars in damage is caused.”

The story is dramatic and began sweeping through other technology news sites last week, with numerous publications covering the alleged attack without verifying the story.

However, there is one problem with the story—there is no record that this attack ever happened.
Fortinet, who was attributed as the source of the article, has not published any information about this attack and has not responded to repeated requests for comment from BleepingComputer since the “toothbrush botnet” story went viral.

A DDoS attack is when an attacker sends enough requests or data at a website to overwhelm its resources or bandwidth so that it can no longer accept requests from legitimate visitors, effectively making the site unusable.

This type of attack has been increasingly used by hacktivists to protest a country’s or business’s activities or by threat actors who use them to extort businesses.

To conduct these attacks, routers, servers, and IoT devices are hacked by brute forcing or using default passwords or exploiting vulnerabilities.

Once a device is compromised, malware is installed to enlist it as part of their DDoS botnet and use it on attacks. These devices are then collectively used to launch powerful attacks against a specified target.

According to Statista, approximately 17 billion IoT devices are expected to be connected to the internet by the end of 2024, offering a massive footprint of devices that could potentially be recruited into DDoS botnets.

However, it is doubtful that 3 million electric toothbrushes would be exposed to the internet so that they could be infected with malware.

Instead, this was likely a hypothetical scenario shared by Fortinet with the newspaper that was misunderstood or taken out of context to create a story that is widely disputed by security experts. Furthermore, electric toothbrushes do not connect directly to the internet but instead use Bluetooth to connect to mobile apps that can then upload your data to web-based platforms.

This means that a massive hack like this could only have been achieved through a supply chain attack that pushed down malicious firmware directly to the devices.

There is no record of this happening.
While a story of a toothbrush botnet taking down a website is amusing, it’s still a good reminder that threat actors could target any Internet-exposed device. This includes routers, servers, programmable logic controllers (PLCs), printers, and web cameras.

Therefore, it is essential for any device exposed to the internet to have the latest security updates and strong passwords to prevent them from being recruited into DDoS botnets.

The good news is that it likely won’t be your toothbrush, so keep brushing.

Thanks to Bleeping Computer for this information.
https://www.bleepingcomputer.com/news/security/no-3-million-electric-toothbrushes-were-not-used-in-a-ddos-attack/