3 million smart toothbrushes were not used in a DDoS attack after all, but it could happen
It sounds more like science fiction than reality, but Swiss newspaper Aargauer Zeitung reported that approximately three million smart toothbrushes were hijacked by hackers to launch a Distributed Denial of Service (DDoS) attack. These innocuous bathroom gadgets -- transformed into soldiers in a botnet army -- allegedly knocked out a Swiss company for several hours, costing millions of euros in damages.
Or, did they? Sources, such as Bleeping Computer and Bleeping Media, found it hard to credit this toothsome tale. And now the security company Fortinet, which helped give the original story credence, is admitting that mistakes were made.
In a note to ZDNET, a Fortinet representative said, "To clarify, the topic of toothbrushes being used for DDoS attacks was presented during an interview as an illustration of a given type of attack, and it is not based on research from Fortinet or FortiGuard Labs. It appears ... the narrative on this topic has been stretched to the point where hypothetical and actual scenarios are blurred."
Also: Do you love or fear your smart home devices? For most Americans, it's both
The story had claimed that the compromised toothbrushes were running Java, a popular language for Internet of Things (IoT) devices. Once infected, a global network of malicious toothbrushes supposedly launched their successful attack.
The repurposed toothbrushes supposedly accomplished this by flooding the Swiss website with bogus traffic, effectively knocking services offline and causing widespread disruption.
Although this story wasn't real, the episode underlines the ever-expanding threat landscape as the IoT becomes increasingly embedded in our daily lives. "Smart" toothbrushes are now 10 years old. Devices that once seemed harmless and disconnected from the digital ecosystem are now potential entry points for cybercriminals. The implications are vast, not only for individual privacy and security but also for national infrastructure and economic stability.
As Stefan Zuger, director of system engineering in Fortinet's Swiss office, said, "Every device that is connected to the Internet is a potential target – or can be misused for an attack."
Anyone paying close attention to cybersecurity has known about this threat for years. As James Clapper, former US Director of National Intelligence, told us in 2016: "Devices, designed and fielded with minimal security requirements and testing, and an ever-increasing complexity of networks could lead to widespread vulnerabilities in civilian infrastructures and US government systems."
It's no longer "could." We're now living in homes filled with insecure IoT devices.
Also: This company says AI can help design sustainable smart home appliances
Why? As Mark Houpt, data center operator DataBank chief information security officer, explained, it's because many IoT devices are inherently insecure for two key reasons: Neglect and the lack of an interface upon which to add security and hardening measures. I mean, exactly how do you control your toothbrush's security setting? How do you add an antivirus program to your refrigerator?
You can't.
So, what can you do?
Well, for starters, as Zuger said, you can automatically update all your devices whenever an update is available "You can't update enough."
Also: The best smart home devices, tested and reviewed
You should also never charge your device at a public USB port. That same port that charges your gadget can also infect it.
I also suggest paying attention if your device suddenly starts losing power faster than normal. Sure, it may just be an aging battery, but it also could be malware running in the background.
You should also be wary of public Wi-Fi connections. The same connection that lets you watch a TikTok may also be loading malware on your smartphone.
While at your home, I urge you to set up a firewall on your Internet connection. If an attacker can't get to your smart toilet, it can't infect it. And, boy, isn't a malware-infected toilet an ugly thought?
Also: The best smart TVs you can buy
Finally -- and I'm quite serious about this -- don't buy an IoT-enabled device unless you have a real need for it. A smart TV? Sure, how else are you going to stream the Super Bowl? But a washing machine, an iron, a toothbrush? No. Just say no.
As we forge ahead into an increasingly connected future, let's ensure that our digital hygiene is as robust as our dental hygiene.