Nuance: There weren't three million Java toothbrush websites – Computer – News

Millions of toothbrushes take over the Internet! A DDoS attack from your bathroom sounds pretty scary, if you believe the various media. But the story about a botnet of malware-infected toothbrushes appears to be based mainly on incorrect assumptions.

what is the story?

Several major media outlets reported a startling story earlier this week: millions of toothbrushes were allegedly hacked and used in a DDoS attack. The story was not only picked up by large general news sites with significant reach such as The Independent, but also through reputable technical media. The story has been picked up before, among others Tom's devices, Znet And Golem. It is striking that none of these media outlets provided many details about the attack, but it was widely circulated.

The story originally comes from Local Swiss newspaper, Aargau Zeitung, Aargau Cantonal Newspaper. This story, which is behind a paywall, cites some high-profile examples of the “cyber risk” of IoT devices behind a headline about “toothbrush attacks.” The story discusses several examples attributed to Stefan Zuger, head of technology at the Swiss subsidiary of security company Fortinet. It says that “three million electric toothbrushes running on Java have been infected with malware.” They were allegedly included in the botnet that later attacked the website of a Swiss company. The DDoS attack reportedly left the site offline for four hours, causing “millions of dollars in damage.”

Toothbrush with java

This story alone is surprising. Because the toothbrush “runs on Java”? This seems far-fetched; What complex tasks does a toothbrush have to do that require such a heavy programming language? Moreover, this toothbrush is usually not connected directly to the Internet, but via Bluetooth. They cannot simply be hijacked in a DDoS attack.

The newspaper describes the story, but does not provide any further details. It is not known what company the attack was targeting, whether Fortinet actually spotted the attack, what botnet it was said to be affiliated with, and whether, for example, proof-of-concept code or samples were shared.

Looking at the rest of the article, this doesn't seem likely. The newspaper cites other questionable claims that it attributes to Fortinet. For example, the article mentions that a restaurant was hacked via an image in an email, but the article also notes that Fortinet “connected a computer to the Internet without any protection” which was “infected” within twenty minutes. He used some terms, such as artificial intelligence, that make DDoS attacks more dangerous without any proof, and it is clear that the Aargauer Zeitung heard the bell ring, but does not know exactly where the bell is ringing.

translation

Fortinet now says in its response, including its response to Tom's Hardware, that the story is in fact not entirely true. “The example of a toothbrush used in a DDoS attack was used during the interview as an illustration of a specific type of attack. It is not based on research conducted by Fortinet or FortiGuard Labs. It appears that by translating hypothetical and actual scenarios it has been mixed up,” the company writes. Most major publications have since updated the article, and ZDNet also has the article Completely rewrittenNot to mention that the original article contained the text “No, we're not kidding.”

Overall, the smart toothbrush story seems like it was taken out of context, and some media outlets made it bigger than it actually was. But, as many of those media have also written, the idea of ​​botnets abusing IoT devices is not new. Botnets like Mirai have been around since 2016 and are still causing problems today by taking over poorly secured IoT devices. But a toothbrush, let alone three million? It's not too far away yet.