The three million toothbrush botnet story isn’t true.

Here’s the original source of the story: https://archive.is/2024.01.30-203406/https://www.luzernerzeitung.ch/wirtschaft/kriminalitaet-die-zahnbuersten-greifen-an-das-sind-die-aktuellen-cybergefahren-und-so-koennen-sie-sich-schuetzen-ld.2569480

It’s simply a made up example. It doesn’t exist. It starts talking about NoName Ddosia, too, which also isn’t toothbrushes.

@GossiTheDog I don't even know if you're just shitposting or if that is a real fake thing but I'm now in love with the idea of a toothbrush botnet

@monsieuricon @GossiTheDog And even if some toothbrushes had wifi, I guess very few would have them directly exposed to the internet so they could be hacked.

@GossiTheDog

Here is a Fortinet PDF for the Is my toothbrush really smart? presentation by Axelle Apvrille at Troopers in 2018. I suspect this information is what they are referencing in the article.

https://filestore.fortinet.com/fortiguard/research/toothbrush.pdf

The toothbrush thing has gone viral despite it being total bollocks.

@GossiTheDog Aw dang, thanks for sharing this. But the archive.is link doesn’t actually let you read the story. It’s obscured even in that form by other text.

@GossiTheDog aggggggg

@GossiTheDog Taking note of which outlets are breathlessly repeating the story.

@GossiTheDog @mttaggart That says the toothbrush incident actually happened, despite sounding like a Hollywood scenario.

@barubary the phrasing is ambiguous about whether that exact scenario happened or not. Bad writing, IMO.

@barubary @GossiTheDog See that fade right there? The meat of the story is obscured.

@barubary This is why it's important to find the original report, not the breathless hot take on the breathless hot take on the [....] original report. @GossiTheDog @mttaggart

@barubary @GossiTheDog I think this is a translation issue, as the article was written in German. I believe Kevin is correct that this is hypothetical.

@monsieuricon @GossiTheDog ah, rats, I already pleaded allegiance to the SkyNet... somebody please make it so!

@GossiTheDog The article says it’s true, I’m not sure what translating tools are outputting but I am german so I will translate a section:

(Rough translation from me:)

The electric toothbrush runs on Java, and without any warning or notice Criminals were able to install malware on it - just like 3 million other toothbrushes. One command is enough and at the exact same time the remote controlled Toothbrushes request the website from a Swiss company. The site collapses and is unresponsive for 4 hours. Causing damages in the millions.

An example that sounds like a Hollywood scene, but which really happened.

(German OG below)

Die elektrische Zahnbürste ist mit Java programmiert, und unbemerkt haben Kriminelle darauf eine Schadsoftware installiert - wie auf 3 Millionen anderen Zahnbursten auch. Ein Befehl genügt, und die ferngesteuerten Zahnbürsten rufen gleichzeitig die Website einer Schweizer Firma auf. Die Seite bricht zusammen und ist für vier Stunden lahm gelegt. Es entsteht ein Schaden in Millionenhöhe.
Das Beispiel, das wie ein Hollywood-Szenario daherkommt, hat sich wirklich so zugetragen.

@GossiTheDog It's also 6 years old. Seems I skimmed a bit too fast.

@TomSellers @GossiTheDog "Damage teeth and gums with high speed motor"

@GossiTheDog @Euph0r14 @mttaggart @barubary @serghei I tried doing some rudimentary german language searches for big DDoS attacks against Swiss companies and didn’t find something which would fit (would have certainly been in the news?)

Nothing mentioning 3 million devices.

I did find ddos attacks from ~2016 against Major Swiss online shopping sites, so maybe this could be meant? They went down for a few hours and could have done millions in damages.

@GossiTheDog oh man I fell for it. Thanks for the fact check.

Interesting though how easily lots of people got fooled on this one. One part of this is how gullible we all are (well, not you I guess), but the other part I think is that we came to *expect* this kind of stuff to happen in a world saturated with IoT devices.

@GossiTheDog I want to believe

@rogers @monsieuricon @GossiTheDog the toothbrushes wouldn't need to be hackable from the internet. They need only be on the same LAN as a previously infected Windows PC, for example.

@hyc @rogers @monsieuricon @GossiTheDog i could absolutely believe the company itself having them load configuration from an insecure head-end service.

@GossiTheDog cc @yaelwrites 👀

@huertanix @GossiTheDog ooh a 2024 candidate

@hyc @monsieuricon @GossiTheDog Yes. But then it would take some time to get the number up to three million hacked devices without anyone noticing.

Now NoName have picked up the fake toothbrush story as propaganda for their members.

Good job, Fortigate.

@GossiTheDog The weird thing is that in this linked interview, the Fortinet exec claims this really happened to some swiss firm and caused milions in damage during it's 4h outage (which also just doesn't pass the smell test)

@rysiek @GossiTheDog While we're at it... can we start curbing the toothbrush-shaped routers that are Mikrotik and their UDP based speedtests, please... :-| Those are like... 10g "unsolicited inbound UDP"-as-a-Service. -.-'

@rysiek Again: is it really fake? The given article states something different: https://social.tchncs.de/@jesterchen/111886824793344385

@jesterchen seems at least sus. One source, not other confirmation.

@hyc @rogers @monsieuricon @GossiTheDog That would suggest a) a related botnet of, let's say, one million PCs (spitballing average household size at ~3 people with a smart toothbrush per person), b) really, a much, much larger PC botnet because it's unlikely that even 1% of homes have this hypothetical brand of smart toothbrush, and c) that the additional volume of traffic from 3 million low-power devices is meaningful when you have a botnet with 100,000,000 PCs in it.

@GossiTheDog Thanks to you the French speaking IT media are starting to debunk this story (with proper credits inside the article) :

https://www.lemondeinformatique.fr/actualites/lire-une-attaque-ddos-via-des-brosses-a-dents-connectees-un-scenario-fiction-92904.html

Fortigate haven’t replied to my PR question about it. Given this is several times the size of the world’s biggest botnet, you’d think they’d have any evidence.. at all.

@GossiTheDog it is amazing how quickly it spread without any fact checking.

@neilcar @rogers @monsieuricon @GossiTheDog good points. A bit moot now since the whole story never actually happened.

They'd make a good persistence vector tho; no one's going to suspect them and you'd never run an antivirus on them. Reminds me of back in my Atari ST days, I w̶r̶o̶saw a virus that resided in the keyboard microcontroller. It would survive a reset and reinstall itself on the first keypress / kbd interrupt.

@hyc @rogers @monsieuricon @GossiTheDog In the hypothetical toothbrush case, I think it's much more likely that the well was poisoned -- I would posit an attack against the manufacturer's poorly-secured CI/CD pipeline, perhaps via by an unpatched Jenkins vulnerability, enabling an attacker to ship a firmware update with an embedded backdoor.

This should give us pause when we consider enabling autoupdate for our smart hygiene appliances.

@GossiTheDog Tom's Hardware website quotes another paywalled news site at the bottom. I see no reason to believe it isn't legit and Tom's is legit, but I don't know YOU from a hole in the ground. Here. ZDNet. No one's retracting this https://www.zdnet.com/home-and-office/smart-home/3-million-smart-toothbrushes-were-just-used-in-a-ddos-attack-really/ https://www.aargauerzeitung.ch/wirtschaft/kriminalitaet-die-zahnbuersten-greifen-an-das-sind-die-aktuellen-cybergefahren-und-so-koennen-sie-sich-schuetzen-ld.2569480

@heretical_i the ZDNet article was written by @sjvn. Do you have any sources, that contradict @GossiTheDog's assesment?

@weddige @heretical_i@kafeneio.social @GossiTheDog I cited the original story as my source. I read it in the original German and it read to me as citing a real example, not a theoretical one.

Kudos to @BleepingComputer for doing actual journalism.

Fortinet also declined to comment to me.

It's a completely made up story, which is now being circulated as Russian propaganda.
https://www.bleepingcomputer.com/news/security/the-unlikely-3-million-electric-toothbrush-ddos-attack/

Fortigate have issued me a statement. The toothbrush DDoS story is completely made up.

I’d like to thank all the Mastodon reply guys in the thread who decided the story was real, btw, based on vibes.

@GossiTheDog what makes you think it's fake? Do you have any proof? Also, why did you post a link to a newpaper article which states the exact opposite of what you're saying?

@GossiTheDog The source said it actually happened, though, right?
Are they lying?

@GossiTheDog the german in the archive link seems to indicate the example actually happened though.

@GossiTheDog “due to translations”? The original reporting in German makes that claim already. ¯\_(ツ)_/¯ https://mastodon.social/@Kensan/111888828676462440

@GossiTheDog The article(s) have been maming the rounds through Swiss media the past week where everyone copied everbody else. It looked like it was good engagement until its reach got too wide. ¯\_(ツ)_/¯

Probably the best reply on one of the stories so far.

It’s now made it to YouTubers 🤣 who are doing better journalism and threat intel than.. journalists and threat intel. https://youtu.be/sVpe0ZEZ1Ho

@GossiTheDog To be fair, the second paragraph states: “This example, which looks like a Hollywood scenario, really happened.”, so the original journalist already got it wrong… But funny, how a very small, local Swiss newspaper caused this.

@GossiTheDog can you comment on the “$25M transferred because of deepfake” story from earlier this week? Because that just screams out as being bullshit.

@GossiTheDog As a Swiss I saw it as my duty to send the editors and author an email requesting a correction of the original article...

The newspaper that had the first article about the Fortigate toothbrush botnet have updated the story and doubled down:

“The article originally said that the case "really happened like that."
This information came from the company Fortinet, which had described the case as real in the interview and proofread the article before publication. Fortinet is now correcting this statement and calling it a "hypothetical scenario". https://www.luzernerzeitung.ch/wirtschaft/kriminalitaet-die-zahnbuersten-greifen-an-das-sind-die-aktuellen-cybergefahren-und-so-koennen-sie-sich-schuetzen-ld.2569480

It gets worse - the original publication has published more details about what happened, unpaywalled. https://www.luzernerzeitung.ch/wirtschaft/cyberangriff-die-gehackten-zahnbuersten-gehen-medial-um-die-welt-und-loesen-fragen-aus-wie-es-dazu-kam-ld.2577182

@GossiTheDog "3 million toothbrushes run Java"

During the whole toothbrush botnet thing, people said ‘yes, the story is fake but it COULD happen’.

Almost every smart toothbrush uses Bluetooth so no, it could not.

Somebody pointed me towards one on Amazon which says it uses wi-fi, so I ordered it and investigated.

The toothbrush only has Bluetooth. The charger uses wi-fi - but has no open TCP or UDP ports. Traffic is outbound only, TLS 1.3.

So no, it was just total nonsense.

@GossiTheDog Wait a minute…
The charger uses Wi-Fi?
Why? Do you need a subscription to be able to charge the damn thing?

@GossiTheDog

https://x.com/atc1441/status/1761529844397912228?s=46&t=efnATb4ZwNiaFA9vXbHOBA

@GossiTheDog this whole thing started with a reporter misunderstanding that toothbrushes was an ad absurdum example of anything internet connected. It’s sort of like being forced to test if, by giving Grandma wheels, she would become a cart.

Even if there were WiFi toothbrushes, would there be so many of them using connectivity to create a massive botnet? Probably not.