That Electric Toothbrush Botnet Story Is Fake

The answer is: no, but you'd be forgiven for thinking that was the case since a viral report made the rounds earlier this week claiming that to be so.

The story in question was published by a Swiss newspaper, Aargau newspaper, and claimed that three million electric toothbrushes had been linked to a botnet, which was then used by cybercriminals to carry out a financially damaging DDoS attack on the website of a Swiss company. The source of the story was researchers from Fortineta well-known security company based in California.

This story, which seemed just crazy enough to be true, was later recycled by many English-speaking points of sale, including Tom's Hardware, ZDNet and others. There was some logic there. Cybercriminals can be very creative when it comes to using smart hardware to create malicious networks; Mirai cybercriminals in particular used over 100,000 smart devices to create one of the most notorious botnets of all time. Why not use a smart toothbrush or two?

The problem, however, is that not all smart devices are built the same. Toothbrush story comes to light after X security experts start weighing in on the ridiculousness of this scenario. Some have said it's virtually impossible, given that smart toothbrushes connect to Bluetooth, not the Internet. A history 404 Media cited skeptical security experts, who questioned the validity of the narrative.

Today the story was officially declared false. According to Fortinet, the Swiss journalists who initially broke the story misinterpreted their researchers during an interview, which then led U.S. media outlets to wholeheartedly pick up the false narrative and spread it further. In a report shared with ZDNetFortinet clarified that the toothbrush incident didn't actually happen and was more of a thought experiment than anything else:

“To clarify, the topic of toothbrushes used in DDoS attacks was presented in an interview as an illustration of a given type of attack, and it is not based on research from Fortinet or FortiGuard Labs. It seems that due to translations, the narrative on this topic has been stretched to the point that the hypothetical and real scenarios are blurred.

Covering cybersecurity as a journalist can be tricky. Many stories are presented as research conducted by security companies, and these companies are incentivized to expand on their research results a bit in order to draw more attention to their business. Indeed, the Swiss newspaper at the center of the toothbrush drama has now criticized Fortinet for falsely claiming the story was real. The newspaper states, in A declaration published on its website, that the excuse of a “translation error” is itself invented:

[Translated from German by Google Translate] What Fortinet headquarters in California now calls a “translation problem” looked completely different during the investigation: Swiss Fortinet representatives described the toothbrush affair as a real DDoS during a meeting dedicated to current threats…

Fortinet provided specific details: information on how long the attack took down a Swiss company's website; an order of magnitude of the extent of the damage. Fortinet did not want to reveal which company it was, out of consideration for its customers.

The text has been submitted to Fortinet for verification before publication. There was no objection to the claim that this was a real case that actually happened.

Gizmodo has reached out to Fortinet for more information on how this story got so much circulation and will update our story if they respond.

Source link

Scroll to Top