The toothbrush DDoS attack: How misinformation spreads in the cybersecurity world

Tooth factor authentication couldn’t stop journalists from reporting this nonsense.

Graham Cluley
Graham Cluley
@[email protected]

The toothbrush DDoS attack: How misinformation spreads in the cybersecurity world

Here are a few headlines from the last 24 hours or so, about a supposed smart toothbrush botnet launching a distributed denial-of-service (DDoS) attack:

And there were many more…

The reports were inspired by a report last week in the Swiss newspaper Aargauer Zeitung.

The German-language article certainly starts dramatically. Here’s a computer-generated translation of its opening paragraphs:

She’s at home in the bathroom, but she’s part of a large-scale cyber attack. The electric toothbrush is programmed with Java, and criminals have unnoticed installed malware on it – like on 3 million other toothbrushes. One command is enough and the remote-controlled toothbrushes simultaneously access the website of a Swiss company. The site collapses and is paralyzed for four hours. Millions of dollars in damage is caused.

This example, which seems like a Hollywood scenario, actually happened. It shows how versatile digital attacks have become. “Each device connected to the Internet is a potential goal – or can be misused for an attack,” says Stefan Züger. He is responsible for the Switzerland offshoot of the cybersecurity specialist Fortinet, based in Dietlikon in Zurich, the system technology division. Whether baby monitor, web camera or the electric toothbrush, do not care.

There’s an issue with Aargauer Zeitung‘s report. It didn’t actually happen.

The story is fiction. Three million smart toothbrushes didn’t launch a DDoS attack against a Swiss company.

If they really had launched the attack, Fortinet’s PR team would surely have been pushing out the news left, right, and centre. But Fortinet’s social media accounts and press release archives are silent.

Fortinet declined to comment to those cybersecurity news outlets or the security researchers that bothered to ask for some details.

None of this has stopped numerous newspapers and websites around the world from repeating the “Beware, your electric toothbrush may have been hacked” headlines, because…

…well, because it makes such a good story.

An untrue story, of course. But a great story nonetheless.

And yes, the general public should know about the risks of unsecured IoT devices. But journalists and cybersecurity vendors must avoid presenting made-up stories as fact. Otherwise, no one will believe genuine news.

Sign up to our free newsletter.
Security news, advice, and tips.

Fortinet could have corrected the story, making it clear that it wasn’t true, but just an example of something that could potentially happen. Instead, it chose to keep its err.. mouth shut instead.

Maybe it enjoyed the attention and media exposure.

It certainly doesn’t seem to harm their share price.

Fortinet share price rises
Fortinet share price rises

Further reading:

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

9 comments on “The toothbrush DDoS attack: How misinformation spreads in the cybersecurity world”

  1. Subela Bhatia

    Many of large corporations orchestrate the self attack for publicity . Is that really true and viable? Cybersecurity is a blessing and a demon looming large. Ddos attacks are increasing each day and all verticals.Please feel free to give me your feedback and thoughts on this.

  2. Helmut Foama-Kriege

    First I had a very good laugh! But then, so many witless professional "experts" citing each other make a fantasy tail become fake facts. The result makes us ashamed of the human race, just like that blonde American notorious liar wanting to overthrow democracy. Shame…

  3. FRopen

    Didin't happen, confirmed by Fortinet

    1. Graham CluleyGraham Cluley · in reply to FRopen

      Yeah, I think my article also makes pretty clear it didn't happen too!

      Fortinet sent me the same statement since publishing this article. You can see my response here

  4. Vitus

    In your citation for the Aargauer zeitung you listed the sentence "It shows how versatile digital attacks have become." twice

    1. Graham CluleyGraham Cluley · in reply to Vitus

      Well spotted. Fixed!

  5. reader

    Have a look at the statement of the newpaper, they claim that the company gave numbers regarding the attack and even had the preprint to check and did not correct them.

    1. Graham CluleyGraham Cluley · in reply to reader

      Yes, I wrote about that here…

  6. ZR

    Particularly disappointing are ZDnet and Tom's hardware for their questionable journalism. Do I need another channel that keeps forwarding sensational "lies?" Probably not.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.