The Story About Three Million Toothbrushes Used in a DDoS Attack Is Not True

February 7th, 2024, was the day when many news portals ran a story about 3 million smart toothbrushes participating in a distributed denial of service attack (DDoS) that supposedly targeted a Swiss company’s network. If this story excites you, and you want to learn how it came to pass, I have some bad news: the story was a made up and never happened.

The Attack Happened, but the Reporting Was Bad

So what did happen? There was a DDoS attack against a company. Some experts estimated that 3 million infected devices were involved in the attack. Some expert mentioned the possibility that even smart toothbrushes could participate in an attack like this, and a journalist either misunderstood what was happening or purposefully embellished the story. Actually, there is no evidence that a single smart toothbrush participated in this DDoS attack. You can read more about this angle on the story on 404media.

Some expert mentioned the possibility that even smart toothbrushes could participate in an attack like this, and a journalist either misunderstood what was happening or purposefully embellished the story.

For most people in cybersecurity, it was clear from the start that the IoT botnet was not made up of smart toothbrushes. As the backlash grew, even Fortinet, the cybersecurity company cited in the original report, said that the scenario was hypothetical. The author of the initial report also issued a statement saying that they were citing claims from Fortinet, and that Fortinet approved the text before publishing. You can read their statements on Bleeping Computer.

All the drama aside, I want to focus on why this type of misinformation is an issue and what all of us can do to prevent it in the future.

How to Improve Cybersecurity Reporting on DDoS Attacks and Botnets

Cybersecurity reporting should always start from basic principles and have a clear view from the technical standpoint. In this case, reporters and news outlets should have had these basic facts in mind:

• DDoS attacks are operated by online criminals. They are run like businesses.
• These criminals either infect massive numbers of IoT devices, powerful servers in data centers, or just buy access to these devices.
• Once they have access, criminals can start selling their services online. Their prices vary from 30 USD to “the sky is the limit”.
• When it comes to smart toothbrushes, there are two main types of toothbrushes (at least from the connectivity point of view): Bluetooth and Wi-Fi-based smart toothbrushes.

Why these smart devices exist at all is a good question for another article, if we’re being honest. But, for now, let’s take a look at those two types of smart toothbrushes.

Bluetooth Low-energy Smart Toothbrushes

Most smart toothbrushes use Bluetooth Low-energy (BLE). BLE devices are not practical for any type of DDoS attacks. Why? A BLE device does not have IP addresses, so it cannot send IP packets to the Internet. What these devices can do is communicate to other BLE devices, such as mobile phones.

Theoretically, it might be possible for a vulnerable toothbrush, in combination with a vulnerable mobile app, to send malicious packets to a target. But, in practice, this is useless for a real DDoS attack due to the rate it would be sending the packets.

WiFi-based Smart Toothbrushes

Some smart toothbrushes have a Wi-Fi component. From an engineering point of view, I don’t really see why any vendor would want to implement this functionality, as it significantly increases the price of the device, but who am I to judge? Our device intelligence data from over 2 billion devices shows that these types of toothbrushes do exist but are some of the rarest connected devices in use today.

I haven’t tested a Wi-Fi capable toothbrush, but I’m going to assume that their Wi-Fi antennas are in the dock of the toothbrush for it to have enough energy to communicate with the Wi-Fi network. Since it has an IP address, it can communicate with the outside world directly. Theoretically, such a device could send DoS traffic to a target.

A Wi-Fi Toothbrush Botnet Is a Highly Unlikely Theoretical Concept

Now, the question is how can someone infect a WiFi-based smart toothbrush?

Our latest cybersecurity report from 2023 shows that most IoT devices are probed and attacked through open ports. Nowadays, more and more IoT devices have cloud-only communication, and such devices do not have any open ports, there are no services to exploit on the devices. This means the only way to install malware on these devices is to either plant malicious code in the factory or deliver a malicious update.

And, as if that weren’t hard enough, I can tell you that it is not an easy task to develop code for these embedded devices.

The hardware specifications for embedded devices are so strict that they are barely enough to run the device’s main functions, and there are rarely enough resources to add new complex functionalities to a device like that.

So, is it theoretically possible to infect these Wi-Fi devices? Yes. Is it theoretically possible that these toothbrushes could participate in a DDoS attack? Yes. But we need to remember that criminals are running a business, which is why we actually need to ask:

Is it an economically sane thing to do from the attacker’s point of view? And the answer to that question is: Absolutely not.

If you are interested in the theoretical side of things, you can look up “Java based” toothbrushes and read this old Fortinet research about hacking smart toothbrushes.

Making Better Recommendations

Another issue with these sensational articles, like the one from ZDnet, is that their recommendations are even worse than the misinformation. If we consider the theoretical example, Here are the issues with their recommendations:

• “Update frequently.” Even though solid advice in general, it would not protect a device from malicious software updates – exactly like the ones that would enable this theoretical attack. Also, these devices should not have to be updated manually. Smart devices should self-update automatically and seamlessly by default.
• “Never charge your device at a public USB port.” There is not a single documented case where someone got infected from charging at a public USB port. Also, how would a public USB port know that I am going to connect a specific toothbrush model to it? Yes, you can buy Rubber Ducky, or O.MG cables for fun, but attackers do not use these devices at public charging points.
• “Be wary of public Wi-Fi connections.” This was solid advice 15 years ago. Nowadays, the risks of using public Wi-Fi connections are marginal, since all important traffic goes through encrypted channels. Mobile app communications are a lot harder to hijack than browser-based ones. This could be a topic for a separate article, but trust me on this. I use mobile banking on the airport Wi-Fi and check my emails using the local coffee shop Wi-Fi.
• “Set up a firewall for your Internet connection.” Good advice, but most people don’t have the time and knowledge to do this. I personally believe this should be a service provided by your Internet Service Provider (ISP). CUJO AI Sentry is a multi-layered cybersecurity solution that ISPs use to protect tens of millions of home networks. Among its security features is a firewall and a device behavior modelling algorithm that detects and stops IoT devices from participating in DoS attacks.

So What Should You Do?

• Always apply critical thinking when something sounds odd.
• If you are unsure of the facts, don’t spread the news and wait to see how it pans out.
• Always look for data and details. For example, there was not a single product, vendor, or vulnerability mentioned in the articles about smart toothbrushes.
• Whenever possible, check the original source of information. In this case, the original reporting was already bad, but, in general, checking the first source helps.
• Buy IoT devices only from trusted vendors that care about security. Preferably, ones that implement seamless auto-updates. It is always a good idea to enter the model of the device and the abbreviation “CVE” (as in Critical Vulnerability and Exposures) into a search engine to see whether a device you are about to buy has (m)any known security vulnerabilities.
• If you are a journalist reporting on IoT and botnets, contact CUJO AI to get some real world data about how many devices of a certain model are actually out there. This is how you can avoid publishing glaring mistakes about there being 3 million Wi-Fi capable toothbrushes in use today.

Spreading Fear, Uncertainty, and Doubt is a common tool to manipulate people, and the people spreading these news always have an agenda that is not focused on actually informing the public. Whether it is an increased click rate or selling something, the other problem with these articles is that they desensitize people, and, when a real problem arises, people do not care anymore. Stories like these also weaken the public’s trust in IT security experts. We can and should do better.