A botnet of electronic toothbrushes was allegedly being used to launch a distributed denial of service (DDoS) attack against a Swiss website. Photo / 123RF
Last week there was dramatic news about a botnet of electronic toothbrushes, some three million of them, being used to launch a distributed denial of service (DDoS) attack against a Swiss website.
is a set of compromised devices that’s remotely controlled by an attacker. It can be used for all sorts of bad things, from flooding other computer systems with large amounts of traffic to overwhelm them (denial of service), to hosting illegal content, hiding attackers’ tracks and crypto currency mining.
In this case, the story broken by the German-language Aargauer Zeitung turned out to be bogus, which didn’t stop it from going absolutely wild and being repeated all over the world.
Why that happened is easy to understand: the source for the story was a reputable security vendor, Fortinet. There were somewhat vague yet plausible technical details like the attackers using a vulnerability in the very popular Java programming language, and DDoS attacks are still very commonplace.
And it’s about an everyday item, toothbrushes. These are now moving upmarket by becoming “smart”, which means yet another app on your smartphone and you probably don’t need any of that.
Security vendors have quite correctly long warned that anything you connect to the internet is liable to get hacked. Apart from anything, if IoT devices do get compromised, they’ll hardly ever get patched with security updates. That’s usually because it’s just too difficult to distribute security fixes to them.
One famous IoT hack example is the recent Mirai malware, which compromised goodness knows how many Internet of Things devices like, uh, security cameras and routers.
Mirai was very successful, and arguably a security industry failure. Controlled by Mirai, botnets around the world launched very large DDoS attacks that caused substantial monetary damage. The three men in their early twenties behind Mirai were arrested and pleaded guilty in 2017, avoiding lengthy prison terms, but the malware code is still out there.
Back to electronic toothbrushes, they tend to be indirectly connected to smartphones via the Bluetooth wireless protocol and then perhaps to some data-gathering site on the internet for fun stuff like sharing your oral hygiene habits.
Never say never, but compromising connected toothbrushes in home networks that aren’t directly accessible via the internet, and somehow planting malware on them to form a giant botnet, would probably be way more trouble than it’s worth for attackers.
Security researchers were quick to put the boot into the news story and Fortinet now insists the toothbrush example was a hypothetical scenario to illustrate the type of attack in question.
Aargauer Zeitung, meanwhile, says Fortinet posited the attack as a real example.
Having had to sift through an enormous amount of vendor scaremonger marketing over the years, I’m inclined to side with the Swiss newspaper.
For starters, there have been masses of IoT security scare stories in the past. A hack of smart toothbrushes doesn’t seem at all unlikely. It also doesn’t take too much imagination to understand why Fortinet used an everyday item with built-in tech like smart toothbrushes to provide an example journalists could relate to.
There was no reason for Aargauer Zeitung to not assume Fortinet were subject-matter experts who could be trusted.
You need experts like that as a journalist to explain hacking and digital threats. It’s not like anyone can eyeball a toothbrush and tell whether or not it’s hacked.
The ironic twist to the toothbrush tale is that it coincides most unfortunately with Fortinet and its resellers the same week having to scramble to urgently patch a very serious vulnerability in the security vendor’s operating system for its firewalls.
Firewalls are expensive devices that customers install between their networks and the internet to – among other things – sanitise data traffic so as to protect against hacking attempts, and to provide secure remote access.
Attackers can exploit the vulnerability by sending malicious HTTP (like when you enter a URL into a web browser) requests to the firewalls. Doing so lets them run “unauthorised code or commands”, Fortinet said. That’s something you absolutely do not want on a security device with a privileged position in a network.
Unlike the toothbrushes, this is a real vulnerability that’s being exploited at the moment by threat actors. If your organisation is a Fortinet customer, hurry up with the patching.