The Strange Tale Of 3 Million Hacked Toothbrushes

A news story about the hacking of three million smart toothbrushes to create a massive botnet used to launch a distributed denial of service cyberattack against a Swiss organization has gone viral. However, many in the information security industry, including myself, have trouble finding evidence to support the story.

02/08 updates below. This article was originally published on February 7.

What’s Behind The Viral Story Of 3 Million Hacked Smart Toothbrushes?

Searching Google reveals that everything from national newspapers to online technology publications have picked up the viral story of three million hacked smart toothbrushes attacking an unnamed Swiss business by way of a DDoS botnet.

However, the headlines certainly raised a few eyebrows within the information security community online, not least as there is very little by way of specifics in any of the reports and a distinct lack of technical explanations as to quite how such a massive botnet, one of the biggest on record, was created.

The story has arisen from comments provided to the Swiss publication by an engineer from the Swiss arm of security vendor Fortinet. I have contacted Fortinet for clarification regarding the root of this viral story and will provide an update if I hear back.

Update February 8: A Fortinet spokesperson has provided the following statement:

“To clarify, the topic of toothbrushes being used for DDoS attacks was presented during an interview as an illustration of a given type of attack, and it is not based on research from Fortinet or FortiGuard Labs. It appears that due to translations the narrative on this topic has been stretched to the point where hypothetical and actual scenarios are blurred.”

Update February 8: The author of the orginal article refutes the Fortinet narrative and insists the ‘example’ was presented as a real case.

The author of the original article published by Aargauer Zeitung, Ann-Kathrin Amstutz, contacted Forbes following the publication today of an update to this story in the format of a statement from Fortinet which claimed there was no real attack. That statement suggested that…