Did the ToothBrush Steal Data?

Imagine your smart toothbrush being an ally in a large scale cyber attack that steals data from your entire IoT devices at home? Sounds like science fiction right? Well, a Swiss newspaper called Aargauer Zeitung reported recently that three million innocuous toothbrushes fell prey to hackers who then launched a distributed denial of service or DDoS attack. 

The report further claimed that these bathroom gadgets transformed into a botnet army to knock out a Swiss company for several hours that potentially resulted in damages amounting to millions of euros. Security services company Fortinet gave credence to the story but then admitted to having made mistakes. So, it appears that this was science fiction after all. 

A report published by ZDNet quoted a Fortinet representative as saying that the topic of toothbrushes being used in DDoS attacks was brought up during an interview as an illustration of a type of cybercrime and was not based on research conducted by the company or its research arm FortiGuard Labs. 

“It appears …  The narrative on this topic has been stretched to the point where hypothetical and actual scenarios are blurred,” the official reportedly said after the story making the rounds claimed that the compromised toothbrushes were running Java, a popular IoT language that, once infected, could create a global network of malicious bathroom devices. 

The report in the Swiss newspaper had claimed that the infected toothbrushes had caused an attack by flooding the website with bogus traffic, thus effectively knocking out their services and causing widespread disruption in its transactional operations. Now, it turns out that the story actually wasn’t a real episode but something that could occur at some point. 

The paper said hackers compromised over three million electric toothbrushes into an army of botnets that then were used to deliver a DDoS attack on the website. The specific brand of toothbrushes remains undisclosed, although it’s noted that the vulnerability stemmed from the devices’ Java-based operating system.

The report was then corroborated by Stefan Zuger, a Fortinet cybersecurity expert, who highlighted the need for caution in safeguarding connected devices at home. He warned that any IoT device could be a potential target of cybercrime and asked users to stay updated on device firmware and software, monitor network activity for anomalies, install security software, and adhere to network security best practices to mitigate risks effectively.

Of course, we aren’t sure whether the media reported its later confirmation and that the softening wasn’t a planned advertisement for cybersecurity of connected devices. Readers would recall the recent instance of an Indian model’s social media account announcing her death and then claiming that it was aimed to raise awareness around cervical cancer!