Free Trial
Contact Us
Podcast

Root Causes 367: Did an IoT Toothbrush Botnet Perform DDoS Attacks?

Hosted by
Tim Callan
Tim Callan
Chief Compliance Officer
Jason Soroko
Jason Soroko
Fellow
Original broadcast date
March 7, 2024

A story circulated earlier this year about a botnet composed of millions of IoT toothbrushes, which later was debunked. We tell you the whole tale.

Podcast Transcript

Lightly edited for flow and brevity.
Tim CallanTim CallanOkay, so we want to talk about a funny little odd little security story that occurred recently, and this was picked up in many places. I'm just going to point you at one. This is a ZDNet article from February 7 2024. It says - the headline is 3 million smart toothbrushes were not used in a DDoS attack after all, but it could happen. This one was written by Steven Vaughahn-Nichols. Like I said, there were a lot of people who wrote about this in a lot of places. And basically, there was a short, for about a day, it was widely reported that there was a botnet that consisted of millions of IoT toothbrushes.
Jason SorokoJason SorokoBut Tim, it seemed like when that came out, everybody had a hard time crediting this to the original source, right? Like, in other words, did it actually happen?
Tim CallanTim CallanSo this did not happen. So I think there's a few things to talk about here. The first one I'll just say in passing is, I'm not sure what the utility of an internet enabled toothbrush is, but presumably, there is such a thing, and presumably those devices exist. I don't own one. But fair enough.

So what happened if you go back to it is this all traces itself back to a Swiss newspaper, called The Aargauer Zeitung. I am probably massacring the pronunciation of that, so please forgive me. Aargauer is a canton in Switzerland. And I think the Aargauer Zeitung is a newspaper in Aargau. And it had an article where basically it stated - it's in German, and it's behind a paywall, so I have to kind of depend on what other people say this article said but the reports were that this article claimed that there were these millions of these smart toothbrushes that were in a botnet that was being used to perform DDoS attacks. And the reason this got a lot of credibility is because it included a quote from Fortinet that appeared to substantiate this claim. So, at that point, with a company like Fortinet seeming to say that this is the case, a lot of people picked it up, viewed that as a credible source, and picked up the story and ran it as established truth.
Jason SorokoJason SorokoRight. I can actually see how something like that could happen, especially as you say, there could be some language issues here, too, where somebody being interviewed from Fortinet might have very, very clearly said, hey, this is a potential. Yes, we could see that happening and, you know, a quote might be then drawn up that says, yes, this did happen, or, or at least implied. I can see how sometimes a journalist might twist it, and quite honestly, too, honest error.
Tim CallanTim CallanYeah. I don't know if we can attribute this to a language problem or not. But here's Fortinet’s quote. This is the statement they released, “to clarify, the topic of toothbrushes being used for DDoS attacks was presented during an interview as an illustration of a given type of attack and is not based on research from Fortinet or Fortiguard Labs. It appears the narrative on this topic has been stretched to the point where hypothetical and actual scenarios are blurred.”

So when I read that, it seems like a pretty clear statement Fortinet was saying, we were talking about the things that could be done and someone interpreted that as things that were being done, that were factually established by Fortinet and then from there, of course, botnets made of smart toothbrushes, like that's such an enticing story that that just goes crazy after that.
Jason SorokoJason SorokoNot surprised by any of it. I think that for people like you and I, Tim, who might be quoted in various things, we could talk about things that are hypothetical, and I could see, you know, being on Portuguese radio, you know, and being interpreted as, hey, somebody from Sectigo said this happened. Meanwhile it was, I was referring to it as hypothetical. I could see how this could happen.
Tim CallanTim CallanAnd we do that all the time. We say, oh, well imagine, you know, here's the scenario. This thing happens and then that thing happens and then now the guys in. You know, that doesn't mean that there's an instance of that occurring. It just means that it could occur and sometimes they do later, right? Sometimes white hats get out there early, and they talk about things that might occur and sure enough, we find those things emerging in the wild. But if you think about all kinds of things you and I have talked about, right? We've talked about deep fakes and spearfishing, and we've talked about BGP attacks, and we've talked about a bunch of other things. And they absolutely are real as possibilities but we're not necessarily referring to a specific incident when we're having that conversation. And the difference between those things is valuable and important, especially when you get to something inflammatory, like millions of smart toothbrushes are part of a big botnet that's performing DDoS attacks, which is definitely, like I said, that's an exciting headline. That's a headline that people read.
Jason SorokoJason SorokoTotally. I can absolutely see how an exciting headline is just too juicy for somebody to not want to print, especially when they're hearing it from a reputable company, etc. I can see how this could happen. And you're right, Tim, it's one of those funny bone moments in our industry where sometimes you get this.
Tim CallanTim CallanYeah. So it's just a light little story, probably not a lot more to say. We, you know, we talk about heavy and weighty topics and outages and vulnerabilities and stuff a whole bunch. So, you know, in this case, it turned out it's kind of funny, and it turned out that it was a happy ending in the end of the day. And so, you know, just wanted to give you a little bit of bright news for a change.
Jason SorokoJason SorokoThanks, Tim. But you know, I just wanted to end it with a thought that on a serious note, I can see this happening. Right.
Tim CallanTim CallanYeah. Which was the point.
Jason SorokoJason SorokoAnd I think that's the point to make. That is the point.
Tim CallanTim CallanWhich was the point. Absolutely. I mean, presumably - I didn't see the original interview - but presumably, the point that was being made about this as a possibility was perfectly correct.
Jason SorokoJason SorokoYes.
Tim CallanTim CallanAnd therefore, surely it remains a possibility.
Jason SorokoJason SorokoI think it definitely could. I think any IoT device that is not using some form of stronger authentication is ripe for this. And I think the Mirai Botnet and all of its variants has taught that very, very well.
Tim CallanTim CallanYeah. I mean, we've seen so many botnets. Again, the big ah-ha moment for me in all of this was that there are internet enabled toothbrushes. That I learned. I didn't know that. That's something that I learned. So there you go.
Jason SorokoJason SorokoMy toothbrush is dumb, Tim.
Tim CallanTim CallanYeah. I have an old fashioned analog toothbrush. That's what I use. All right. Anyway, thank you very much, Jason.
Jason SorokoJason SorokoThanks, Tim.
Tim CallanTim CallanThis has been Root Causes.

Stay informed with expert insights

Subscribe to Root Causes for engaging discussions on PKI, digital security, and best practices for protecting your organization's critical assets. Don’t miss an episode!

Listen on Apple PodcastsListen on SpotifyListen on SoundCloud