In recent days the editors of an incalculable number of online newspapers have worn their fingertips to tell the story of an incredible attack that would have involved well 3 million electric toothbrushesdevices “enlisted” by a group of cyber criminals to launch DDoS attacks (Distributed Denial of Service). An army of smart toothbrushes suddenly turned bad, in the pay of unscrupulous attackers. But are things really like this? Short answer: absolutely not.
The story itself already seemed rather imaginative: electronic devices which, a bit likeIt takes two“, they rebel against their legitimate owners and become instruments of a dark plan.
The DDoS attack involving electric toothbrushes never happened
Last week, a Swiss news site published what many thought was shocking news. Without too many turns of phrase, the newspaper writes that a group of bad intentions have forced the firmware of approximately 3 million electric toothbrushes to install malicious code on them. Connected to the local router, toothbrushes typically collect and make accessible via apps information on their use, dental hygiene times, the condition of the bristles, and so on.
This time, however, the modification applied on the software side would have inserted all the vulnerable smart toothbrushes into one botnet. A botnet is a collection of devices infected with malware and controlled through a single point of command. These devices, known as “bot” o “zombie“, act in a coordinated manner under the control of the botnet manager. Botnets are often used to conduct cyber attacks, such as sending spam, distributing malware, performing DDoS attacks, or carrying out other malicious activities on the network.
In the present case, thesending of a specific one command, would have provoked a coordinated attack on the website of a Swiss company, causing it to collapse under the weight of continuous connection requests from remote toothbrushes. The Swiss newspaper that reported the news speaks of millions of dollars in damages suffered by the company targeted by the attack.
Because there was a smell of fake news
Let’s start by clarifying that electric toothbrushes do not connect directly to the Internet: they do not offer a Wifi connection nor do they support other protocols to connect directly with router wirelessly. The compatible models, however, use Bluetooth to connect with mobile devices and communicate with the dedicated apps installed on the smartphone. The data is then possibly shared on the relevant web platforms.
A massive cyber attack like the one described could only have been implemented by attacking the supply chain or the supplier chain used to deliver firmware to devices and transfer a special version of software containing malicious code to the entire user base.
If this had really happened, it would be a much larger problem than the DDoS attack itself. But none of what has been described in recent days has ever happened.
This post by Robert GrahamCEO of Errata Security summarizes the issue. Albeit in a rather colorful way.
Fortinet, a company repeatedly cited as the source of the news of the DDoS attack perpetrated using 3 million toothbrushes, clarified that the scenario described was merely hypothetical and did not describe a non-event that occurred. Furthermore, it is not the result of any research carried out by either Fortinet or FortiGuard Labs.
Securing IoT devices is serious business
By the end of 2024, something like this is expected to be connected to the Internet 17 billion IoT devices (Internet of Things). The “non-news” of smart toothbrushes transformed into toy soldiers at the service of cyber criminals should however bring us back down to earth and draw attention to the importance of adequately protecting devices forInternet of Things.
Vulnerabilities present in the firmware of these products, defects in the configuration phase attributable to users, the absence of permission checks, the use of weak credentials and so on, could facilitate the work of attackers determined to add these devices to botnets or in any case interested in using them to carry out harmful actions. These devices, in fact, could be used as a “lock pick” to access a local network and move laterally accessing shared resources, stealing personal information, installing malicious software, and so on.
The defenses used to protect servers reachable via public IP address should be the same as those applied to IoT devices, paying maximum attention in these cases tofirmware update on a periodic basis.
Credit immagine in apertura: Microsoft Bing Image Creator.