Round 3! The toothbrush DDoS attack saga continues: Newspaper counters Fortinet’s translation claim in contentious interview

Ding ding! And the newspaper lands a heavy punch against Fortinet.

Graham Cluley
Graham Cluley
@[email protected]

Round 3 in the toothbrush DDoS debacle!

The story so far.

Round 1

The newspaper Aargauer Zeitung published an article claiming that three million IoT-connected toothbrushes had launched a distributed denial-of-service attack against a Swiss company, causing its website to be knocked over for four hours.

Hundreds of other news outlets retold the story, assuming it was true. But, it wasn’t true.

Where had Aargauer Zeitung got the story from? Well, they quoted a security researcher at Fortinet.

Round 2

After members of the cybersecurity industry (including yours truly) mocked or downright debunked the story as “total bollocks”, Fortinet stirred into action and issued a statement blaming a translation issue.

Round 3

So where are we now?

Well, ding ding! It’s Round 3, and Aargauer Zeitung has come out of its corner fighting.

In a new statement on its website, the newspaper claims that Fortinet had present the toothbrush DDoS attack as real (rather than hypothetical) and what is more the firm had shared specific details of what had occurred.

German newspaper cutting

Here’s what the newspaper has said (computer-translated for us who don’t understand German):

What is now described by the Fortinet headquarters in California as a “translation problem” has listened to the research in a completely different way: Swiss Fortinet representatives have described the toothbrush case as a real DDoS attack at an appointment, which dealt with current threat situations.

Fortinet provided specific details: information on how long the attack paralysed the website of a Swiss company; a magnitude of how high the damage caused was. Out of consideration for their customer, Fortinet did not want to reveal which company it was.

The text was presented to Fortinet for verification before publication. The sentence that it was a real case that really happened was not obsessed.

The global management of Fortinet has now rowed back with its statement, which was sent to various international media. The company has failed to send it to CH Media. We have not yet received another statement from Fortinet.


Will Fortinet return for Round 4, or is that a knockout punch?

Sign up to our free newsletter.
Security news, advice, and tips.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.