Bizarre stories are flying around, saying a botnet of toothbrushes attacked a website. Millions of IoThings suddenly cried out in terror, somehow squashing a super Swiss site—supposedly.

Or not. It turns out to be untrue. In today’s SB Blogwatch, we point and laugh.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: SkrillexMachina.

“Actually happened”
The electric toothbrush is programmed with Java, and criminals have unnoticed installed malware on it – like on 3 million other toothbrushes. One command is enough and the remote-controlled toothbrushes simultaneously access the website of a Swiss company. The site collapses and is paralyzed for four hours. Millions of dollars in damage is caused.
…
This example, which seems like a Hollywood scenario, actually happened … says Stefan Zuger. He is responsible for systems technology at the Swiss branch of the cybersecurity specialist Fortinet.

“We don’t have the finer details”
This sizable army of connected dental cleansing tools was used in a DDoS attack on a Swiss company’s website, [which] collapsed under the strain. … The toothbrush was thought to have been vulnerable due to its Java-based OS.
…
After a malware infection, these toothbrushes were press-ganged into a botnet. … Though we don’t have the finer details of the DDoS story, it serves as yet another warning for device owners.

The toothbrush thing has gone viral, despite it being total bollocks. … It’s simply a made up example. It doesn’t exist.
…
A botnet of 3 million toothbrushes would be twice the size of Mirai’s various botnets put together, and a major infosec event. [Stefan Zuger] has only worked there about a year.

They talk about a “Java-based” OS that could have been the cause. I know Java ME was a thing and there are Micro JVM that can run on microcontrollers. But still, it does not add up.

I think a DDoS attack happened (happens all the time). And security “experts” mentioned that these things could come from anywhere, even toothbrushes, and the details got lost in translation / used for click bait.

That’s the moment that got me! The whole thing went from preposterous to magical.

First they came for The Onion
And I did not speak out
For I was not an Onion writer

Then they came for Black Mirror
And I did not speak out
For I was not a Mirror writer

Then they came for Horselover Fat …

It sounds more like science fiction than reality. [But it] underlines the ever-expanding threat landscape as the IoT becomes increasingly embedded in our daily lives. … Devices that once seemed harmless and disconnected from the digital ecosystem are now potential entry points for cybercriminals. The implications are vast.
…
Anyone paying close attention to cybersecurity has known about this threat for years. … It’s no longer “could.” We’re now living in homes filled with insecure IoT devices.
…
I’m quite serious about this — don’t buy an IoT-enabled device unless you have a real need for it. A smart TV? Sure, how else are you going to stream the Super Bowl? But a washing machine, an iron, a toothbrush? No. … Let’s ensure that our digital hygiene is as robust as our dental hygiene.

Who had “Zombie toothbrushes” on their 2024 bingo card?

Despite the apparent use of FLOSS, this can’t simply be brushed off and the perpetrators won’t receive a plaque for their achievement.

Recent Articles By Author