Here are a few headlines from the last 24 hours or so, about a supposed smart toothbrush botnet launching a distributed denial-of-service (DDoS) attack:
- “Millions of hacked toothbrushes used in Swiss cyber attack, report says” – The Independent.
- “Hackers turn toothbrushes into cyber weapons” – Fudzilla.
- “Millions of smart toothbrushes used in botnet attack on company”” – Boing Boing.
- “3 million smart toothbrushes were just used in a DDoS attack. Really” – ZDNet.
- “Three million malware-infected smart toothbrushes used in Swiss DDoS attacks — botnet causes millions of euros in damages” – Tom’s Hardware
- “Over 3 million toothbrushes ‘hacked’ and ‘turned into secret army for criminals,’ experts claim” – The Sun.
And there were many more…
The reports were inspired by a report last week in the Swiss newspaper Aargauer Zeitung.
The German-language article certainly starts dramatically. Here’s a computer-generated translation of its opening paragraphs:
She’s at home in the bathroom, but she’s part of a large-scale cyber attack. The electric toothbrush is programmed with Java, and criminals have unnoticed installed malware on it – like on 3 million other toothbrushes. One command is enough and the remote-controlled toothbrushes simultaneously access the website of a Swiss company. The site collapses and is paralyzed for four hours. Millions of dollars in damage is caused.
This example, which seems like a Hollywood scenario, actually happened. It shows how versatile digital attacks have become. “Each device connected to the Internet is a potential goal – or can be misused for an attack,” says Stefan Züger. He is responsible for the Switzerland offshoot of the cybersecurity specialist Fortinet, based in Dietlikon in Zurich, the system technology division. Whether baby monitor, web camera or the electric toothbrush, do not care.
There’s an issue with Aargauer Zeitung‘s report. It didn’t actually happen.
The story is fiction. Three million smart toothbrushes didn’t launch a DDoS attack against a Swiss company.
If they really had launched the attack, Fortinet’s PR team would surely have been pushing out the news left, right, and centre. But Fortinet’s social media accounts and press release archives are silent.
None of this has stopped numerous newspapers and websites around the world from repeating the “Beware, your electric toothbrush may have been hacked” headlines, because…
…well, because it makes such a good story.
An untrue story, of course. But a great story nonetheless.
And yes, the general public should know about the risks of unsecured IoT devices. But journalists and cybersecurity vendors must avoid presenting made-up stories as fact. Otherwise, no one will believe genuine news.
Fortinet could have corrected the story, making it clear that it wasn’t true, but just an example of something that could potentially happen. Instead, it chose to keep its err.. mouth shut instead.
Maybe it enjoyed the attention and media exposure.
It certainly doesn’t seem to harm their share price.
- Tooth be told: Toothbrush DDoS attack claim was lost in translation says Fortinet.
- Round 3! The toothbrush DDoS attack saga continues: Newspaper counters Fortinet’s translation claim in contentious interview.