Redirecting you to
Click if you are not redirected within 5 seconds
Search
USD
English
Contact Us
Free Trial
Podcast Mar 07, 2024

Root Causes 367: Did an IoT Toothbrush Botnet Perform DDoS Attacks?

A story circulated earlier this year about a botnet composed of millions of IoT toothbrushes, which later was debunked. We tell you the whole tale.

  • Original Broadcast Date: March 7, 2024

Episode Transcript

Lightly edited for flow and brevity.

  • Tim Callan

    Okay, so we want to talk about a funny little odd little security story that occurred recently, and this was picked up in many places. I'm just going to point you at one. This is a ZDNet article from February 7 2024. It says - the headline is 3 million smart toothbrushes were not used in a DDoS attack after all, but it could happen. This one was written by Steven Vaughahn-Nichols. Like I said, there were a lot of people who wrote about this in a lot of places. And basically, there was a short, for about a day, it was widely reported that there was a botnet that consisted of millions of IoT toothbrushes.

  • Jason Soroko

    But Tim, it seemed like when that came out, everybody had a hard time crediting this to the original source, right? Like, in other words, did it actually happen?

  • Tim Callan

    So this did not happen. So I think there's a few things to talk about here. The first one I'll just say in passing is, I'm not sure what the utility of an internet enabled toothbrush is, but presumably, there is such a thing, and presumably those devices exist. I don't own one. But fair enough.

    So what happened if you go back to it is this all traces itself back to a Swiss newspaper, called The Aargauer Zeitung. I am probably massacring the pronunciation of that, so please forgive me. Aargauer is a canton in Switzerland. And I think the Aargauer Zeitung is a newspaper in Aargau. And it had an article where basically it stated - it's in German, and it's behind a paywall, so I have to kind of depend on what other people say this article said but the reports were that this article claimed that there were these millions of these smart toothbrushes that were in a botnet that was being used to perform DDoS attacks. And the reason this got a lot of credibility is because it included a quote from Fortinet that appeared to substantiate this claim. So, at that point, with a company like Fortinet seeming to say that this is the case, a lot of people picked it up, viewed that as a credible source, and picked up the story and ran it as established truth.

  • Jason Soroko

    Right. I can actually see how something like that could happen, especially as you say, there could be some language issues here, too, where somebody being interviewed from Fortinet might have very, very clearly said, hey, this is a potential. Yes, we could see that happening and, you know, a quote might be then drawn up that says, yes, this did happen, or, or at least implied. I can see how sometimes a journalist might twist it, and quite honestly, too, honest error.

  • Tim Callan

    Yeah. I don't know if we can attribute this to a language problem or not. But here's Fortinet’s quote. This is the statement they released, “to clarify, the topic of toothbrushes being used for DDoS attacks was presented during an interview as an illustration of a given type of attack and is not based on research from Fortinet or Fortiguard Labs. It appears the narrative on this topic has been stretched to the point where hypothetical and actual scenarios are blurred.”

    So when I read that, it seems like a pretty clear statement Fortinet was saying, we were talking about the things that could be done and someone interpreted that as things that were being done, that were factually established by Fortinet and then from there, of course, botnets made of smart toothbrushes, like that's such an enticing story that that just goes crazy after that.

  • Jason Soroko

    Not surprised by any of it. I think that for people like you and I, Tim, who might be quoted in various things, we could talk about things that are hypothetical, and I could see, you know, being on Portuguese radio, you know, and being interpreted as, hey, somebody from Sectigo said this happened. Meanwhile it was, I was referring to it as hypothetical. I could see how this could happen.

  • Tim Callan

    And we do that all the time. We say, oh, well imagine, you know, here's the scenario. This thing happens and then that thing happens and then now the guys in. You know, that doesn't mean that there's an instance of that occurring. It just means that it could occur and sometimes they do later, right? Sometimes white hats get out there early, and they talk about things that might occur and sure enough, we find those things emerging in the wild. But if you think about all kinds of things you and I have talked about, right? We've talked about deep fakes and spearfishing, and we've talked about BGP attacks, and we've talked about a bunch of other things. And they absolutely are real as possibilities but we're not necessarily referring to a specific incident when we're having that conversation. And the difference between those things is valuable and important, especially when you get to something inflammatory, like millions of smart toothbrushes are part of a big botnet that's performing DDoS attacks, which is definitely, like I said, that's an exciting headline. That's a headline that people read.

  • Jason Soroko

    Totally. I can absolutely see how an exciting headline is just too juicy for somebody to not want to print, especially when they're hearing it from a reputable company, etc. I can see how this could happen. And you're right, Tim, it's one of those funny bone moments in our industry where sometimes you get this.

  • Tim Callan

    Yeah. So it's just a light little story, probably not a lot more to say. We, you know, we talk about heavy and weighty topics and outages and vulnerabilities and stuff a whole bunch. So, you know, in this case, it turned out it's kind of funny, and it turned out that it was a happy ending in the end of the day. And so, you know, just wanted to give you a little bit of bright news for a change.

  • Jason Soroko

    Thanks, Tim. But you know, I just wanted to end it with a thought that on a serious note, I can see this happening. Right.

  • Tim Callan

    Yeah. Which was the point.

  • Jason Soroko

    And I think that's the point to make. That is the point.

  • Tim Callan

    Which was the point. Absolutely. I mean, presumably - I didn't see the original interview - but presumably, the point that was being made about this as a possibility was perfectly correct.

  • Jason Soroko

    Yes.

  • Tim Callan

    And therefore, surely it remains a possibility.

  • Jason Soroko

    I think it definitely could. I think any IoT device that is not using some form of stronger authentication is ripe for this. And I think the Mirai Botnet and all of its variants has taught that very, very well.

  • Tim Callan

    Yeah. I mean, we've seen so many botnets. Again, the big ah-ha moment for me in all of this was that there are internet enabled toothbrushes. That I learned. I didn't know that. That's something that I learned. So there you go.

  • Jason Soroko

    My toothbrush is dumb, Tim.

  • Tim Callan

    Yeah. I have an old fashioned analog toothbrush. That's what I use. All right. Anyway, thank you very much, Jason.

  • Jason Soroko

    Thanks, Tim.

  • Tim Callan

    This has been Root Causes.

Root Causes - A PKI & Security Podcast

About Root Causes

Tim Callan and Jason Soroko explore the issues surrounding digital identity, PKI, and cryptographic connections in today's dynamic and evolving computing world.

View All Root Causes