Euro Security Watch with Mathew J. Schwartz

Holes Appear in Internet-Connected Toothbrush Botnet Warning

Don't Brush in Fear, as Supposed DDoS Dental Trauma Fails to Pass Muster
Holes Appear in Internet-Connected Toothbrush Botnet Warning
Your toothbrush isn't part of a botnet. (Image: Shutterstock)

Forget worrying about Bolsheviks in the bathroom. Now we have to contend with our internet-connected toothbrushes being turned against us.

See Also: How Active Directory Security Drives Operational Resilience

Breathless reports in recent days have claimed 3 million IoT toothbrushes running Java have been remotely compromised and used to compromise the cyber hygiene of unsuspecting businesses via distributed denial-of-service attacks.

Just one problem: This tale has more holes in it than the teeth of kid with a 10-pack-a-day Gummy Bear habit.

The viral story originated in Swiss German-language daily newspaper Luzerner Zeitung. On Jan. 30, the paper set this scene: A woman blissfully brushes away, oblivious to the fact that her internet-connected toothbrush has been infected with malware, making it moonlight as one of millions of other toothbrushes controlled by a botnet, which collectively harnesses them to DDoS the website of an unsuspecting Swiss firm to its digital knees.

The story - as machine-translated by Google - claims "this actually happened" and quotes Switzerland-based Stefan Züger, Fortinet's director of systems engineering, as saying: "Every device that is connected to the internet is a potential target - or can be misused for an attack."*

The report arrives on the heels of high-profile nuisance attacks against Switzerland's federal government, based in Bern. The attacks last month were apparently timed to coincide with Ukrainian President Volodymyr Zelenskyy's attendance at the annual World Economic Forum meeting in Davos.

The self-proclaimed Russian hacktivist group NoName057(16), aka NoName, claimed credit for the DDoS attacks, which the Luzerner Zeitung report referenced.

Whether or not a single smart toothbrush has ever been remotely compromised - never mind 3 million of them - remains to be seen, especially since no such devices appear to be designed to directly connect to the internet.

But NoName, which closely aligns itself with Moscow and may be run by Russia's intelligence apparatus - is not letting the dust settle on this dental drama. British cybersecurity expert Kevin Beaumont spotted the group asking its followers via Telegram: "Who infected thousands of 'smart' toothbrushes with our software?"

The smart money answer remains: No one. "It takes 2 seconds to peel back the story to see if there's anything reasonable there. There isn't," tweeted offensive security engineer Robert Graham.

"I have my doubts as well. I was not able to find any details anywhere - like brand, malware or target," said Zurich-based Candid Wüest, vice president of product management at Acronis. "They only mention that it runs Java, which seems a bit overpowered for a toothbrush."

While the botnet scenario is theoretically possible, "most smart toothbrushes I have seen are using Bluetooth Low Energy to connect to a base station or smartphone," he told me. "Yes, there are some base stations with Alexa and WLAN integrated, but I doubt that really 3 million people have these and have them activated and exposed to the internet."

Plenty of IoT devices are remotely compromised. Sometimes researchers uncover vulnerabilities in IoT and find ways to take over or filch data from gadgets ranging from internet-connected vending machines and refrigerators to child-tracking smartwatches and cloud-connected stuffed animals (see: Yes, Unicorns With Bluetooth Problems Really Do Exist).

On the less esoteric front, multiple strains of malware continue to target consumer IoT devices running default passwords. Many of these are based on wormable Mirai malware, which is designed to create botnets out of Linux-based IoT devices.

Someone leaked the Mirai source code online before its three original authors pleaded guilty in 2017 to building the original botnet and using it to launch DDoS attacks. Fresh versions of the malware continue to debut and circulate, infecting digital video recorders, cameras, routers and more. The malware has also spawned multiple variants, including Okiru, Satori, Masuta and PureMasuta.

An increasing quantity of IoT devices either weren't built to be secure or are old enough that they can no longer be secured - and they have enough computing power to be turned against us. This most recently can be seen in the FBI's recent move to remotely nuke KV Botnet malware that it said Chinese cyberespionage teams had used to infect "hundreds" of Cisco and Netgear routers found in American homes and small businesses.

Hence, the risk posed by IoT devices being used to launch remote attacks continues to be real - but hackers aren't turning our toothbrushes against us.

No one need brush in fear. Do it twice daily, and don't forget to floss.

*Update Feb. 8, 2024 9:00 UTC: A Fortinet spokesman said in a statement after this blog appeared: "To clarify, the topic of toothbrushes being used for DDoS attacks was presented during an interview as an illustration of a given type of attack, and it is not based on research from Fortinet or FortiGuard Labs. It appears that due to translations the narrative on this topic has been stretched to the point where hypothetical and actual scenarios are blurred."

Toothbrush users, don't let cyberthreats leave you feeling bristled: "FortiGuard Labs has not observed Mirai or other IoT botnets target toothbrushes or similar embedded devices," he said.



About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.eu, you agree to our use of cookies.