Tuesday, a Tom’s Hardware article noted that three million smart toothbrushes were used in a DDoS attack that caused “millions of euros in damages in Switzerland.” The story quickly went viral, because things like this have happened before, because it feels absurd, and because we as a society deserve it for putting internet connectivity in everything and for not securing those devices.
But this attack didn’t actually happen. Tom’s Hardware relied on an article that is about the general problem of insecure internet of things devices, originally written in German by the Swiss outlet Aargauer Zeitung. It has since been picked up all over the English speaking and German speaking press, gone viral on Reddit, Hacker News, Twitter, etc.
The original article, called “The toothbrushes are attacking,” starts with the following passage: “She's at home in the bathroom, but she's part of a large-scale cyber attack. The electric toothbrush is programmed with Java, and criminals have unnoticed installed malware on it - like on 3 million other toothbrushes. One command is enough and the remote-controlled toothbrushes simultaneously access the website of a Swiss company. The site collapses and is paralyzed for four hours. Millions of dollars in damage is caused. This example, which seems like a Hollywood scenario, actually happened. It shows how versatile digital attacks have become.”
There are no additional details about this apparent attack, and most of the article cites general research by a publicly traded cybersecurity company called Fortinet which has detected malicious, hijacked internet of things devices over the years. A search on Fortinet’s website shows no recent published research about hacked smart toothbrushes.
In a statement to 404 Media, Fortinet said "To clarify, the topic of toothbrushes being used for DDoS attacks was presented during an interview as an illustration of a given type of attack, and it is not based on research from Fortinet or FortiGuard Labs. It appears that due to translations the narrative on this topic has been stretched to the point where hypothetical and actual scenarios are blurred.”