Tooth be told: Toothbrush DDoS attack claim was lost in translation, claims Fortinet

Graham Cluley
Graham Cluley
@

 @grahamcluley.com
 @[email protected]

Tooth be told: Toothbrush DDoS attack claim was lost in translation says Fortinet

After hundreds of media outlets worldwide repeated the false claim that a botnet of three million toothbrushes attacked a Swiss company, the cybersecurity firm at the centre of the story has now issued a statement:

“To clarify, the topic of toothbrushes being used for DDoS attacks was presented during an interview as an illustration of a given type of attack, and it is not based on research from Fortinet or FortiGuard Labs. It appears that due to translations the narrative on this topic has been stretched to the point where hypothetical and actual scenarios are blurred.”

Fortinet went on to say that its experts have “not observed Mirai or other IoT botnets target toothbrushes or similar embedded devices.”

I can imagine how a Fortinet’s researcher might have regaled a journalist with tales of how IoT devices like webcams hijacked into botnets for DDoS attacks (after all, this has happened.)

However, giving the journalist a juicy hypothetical example of millions of smart toothbrushes taking down a Swiss company is playing a dangerous game.

I’m not surprised that journalists might seize the story, and as we’ve seen, other news outlets repeat it without double-checking its truth.

A more experienced spokesperson would have made it clear that the toothbrush DDoS attack example was hypothetical and hadn’t actually happened.

Failing that, Fortinet had plenty of time (the original article was published on January 30) to contact the Swiss newspaper and correct the report, or post a clarification on social media debunking the story as the hysteria spread in the press.

But Fortinet didn’t, until skeptical voices in the cybersecurity community questioned the story.

Sign up to our free newsletter.
Security news, advice, and tips.

Ironically, the firm’s researchers have published some genuinely interesting proof-of-concept research in the past on the toothbrush topic – albeit hacking Bluetooth-enabled toothbrushes to mess with brushing time rather than knock a company’s website offline.

Further reading: Round 3! The toothbrush DDoS attack saga continues: Newspaper counters Fortinet’s translation claim in contentious interview.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky, Mastodon, and Threads, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.