Kevin Beaumont

The three million toothbrush botnet story isn’t true.

Here’s the original source of the story: https://archive.is/2024.01.30-203406/https://www.luzernerzeitung.ch/wirtschaft/kriminalitaet-die-zahnbuersten-greifen-an-das-sind-die-aktuellen-cybergefahren-und-so-koennen-sie-sich-schuetzen-ld.2569480

It’s simply a made up example. It doesn’t exist. It starts talking about NoName Ddosia, too, which also isn’t toothbrushes.

Feb 6, 2024 at 9:03pmWeb
Show threadKevin BeaumontFeb 6, 2024
The toothbrush thing has gone viral despite it being total bollocks.
Show threadKevin BeaumontFeb 7, 2024

Now NoName have picked up the fake toothbrush story as propaganda for their members.

Good job, Fortigate.

Show threadKevin BeaumontFeb 7, 2024
Fortigate haven’t replied to my PR question about it. Given this is several times the size of the world’s biggest botnet, you’d think they’d have any evidence.. at all.
Show threadKevin BeaumontFeb 7, 2024
Show threadKevin BeaumontFeb 7, 2024

Kudos to @BleepingComputer for doing actual journalism.

Fortinet also declined to comment to me.

It's a completely made up story, which is now being circulated as Russian propaganda.
https://www.bleepingcomputer.com/news/security/the-unlikely-3-million-electric-toothbrush-ddos-attack/

The unlikely 3 million electric toothbrush DDoS attack

A widely reported story that 3 million electric toothbrushes were hacked with malware to conduct distributed denial of service (DDoS) attacks is likely a hypothetical scenario instead of an actual attack.

BleepingComputer
Show threadKevin BeaumontFeb 7, 2024
Fortigate have issued me a statement. The toothbrush DDoS story is completely made up.
Show threadKevin BeaumontFeb 7, 2024
I’d like to thank all the Mastodon reply guys in the thread who decided the story was real, btw, based on vibes.
Show threadKevin BeaumontFeb 8, 2024
Probably the best reply on one of the stories so far.
Show threadKevin BeaumontFeb 8, 2024
It’s now made it to YouTubers 🤣 who are doing better journalism and threat intel than.. journalists and threat intel. https://youtu.be/sVpe0ZEZ1Ho
Did a Massive Toothbrush DDOS Just Happen?

YouTube
Show threadKevin BeaumontFeb 8, 2024

The newspaper that had the first article about the Fortigate toothbrush botnet have updated the story and doubled down:

“The article originally said that the case "really happened like that."
This information came from the company Fortinet, which had described the case as real in the interview and proofread the article before publication. Fortinet is now correcting this statement and calling it a "hypothetical scenario". https://www.luzernerzeitung.ch/wirtschaft/kriminalitaet-die-zahnbuersten-greifen-an-das-sind-die-aktuellen-cybergefahren-und-so-koennen-sie-sich-schuetzen-ld.2569480

Cybergefahren: So schützen Sie sich

Die Zahl der Angriffe erreicht unvorstellbare Höhen, wie neue Daten der Cybersicherheitsfirma Fortinet zeigen. Welche Entwicklungen Sorgen bereiten und warum es trotzdem Anlass zur Zuversicht gibt.

Luzerner Zeitung
Show threadChristian KündigFeb 8, 2024
@GossiTheDog While I typically dont like the German/Swiss tradition of authorizing/proofreading quotes in articles (something nobody else does as far as I know), here it clearly paid off.
Show threadKilian EvangFeb 8, 2024
@chkuendig @GossiTheDog Except it didn't.
Show threadChristian KündigFeb 8, 2024
@texttheater @GossiTheDog It did help separate deception from misunderstanding
Show threadKilian EvangFeb 8, 2024
@chkuendig @GossiTheDog Touché.
Show threadck 👨‍💻Feb 8, 2024
@GossiTheDog Sounds like Fortinet Switzerland will soon look for someone to replace a position...
Show threadSam VargheseFeb 8, 2024
@GossiTheDog https://itwire.com/business-it-news/security/malwarebytes-shines-as-bogus-toothbrush-attack-tale-swallowed-by-most.html
iTWire - Malwarebytes shines as bogus toothbrush attack tale swallowed by most

Security firm Malwarebytes has been one of the few companies or individuals that refused to swallow a bogus report about three million smart toothbrushes being used in a DDoS attack. A large number of so-called tech publications simply regurgitated the report which first appeared in the Swiss newspa...

Show threadwvuFeb 7, 2024
@GossiTheDog vibe analysts
Show threadtinydoctorFeb 7, 2024
@GossiTheDog You’re welcome.
Show threadFinchHaven sfbaFeb 7, 2024

@GossiTheDog

I have been literally biting all my fingers *and* my tongue (for some reason) to stop myself from going into people's posts and replying

IT'S A FAKE STORY YOU MORON. IT'S CLICKBAIT AT BEST

So far I have been strong

#Toothbrush #SmartToothbrushes

Show threadv̾i̾t̾r̾i̾o̾l̾i̾x̾Feb 7, 2024
@GossiTheDog well actually...
Show threadDavid Crooks 🏳️‍🌈Feb 7, 2024
@GossiTheDog It seems appropriate that vibes are used for attribution at this point
Show threadClem H. FandangoFeb 7, 2024
@GossiTheDog #vibesDontLie
Show threadNihl L'AmasFeb 7, 2024
@GossiTheDog Vibes are the best way to evaluate electric toothbrushes.
Show threadgrimmwareFeb 7, 2024
@GossiTheDog @BleepingComputer yeesh, declining to comment whilst their stock price spikes is some cynical shit. I'd like to hope this would damage trust in them but I'm not feeling that naive today.
Show threadTim LavoieFeb 7, 2024

@grimmware @GossiTheDog @BleepingComputer
You might think that Fortinet having had backdoors of their own (e.g. https://rhinosecuritylabs.com/enterprise-security/fortinet-backdoor-found-ssh-netscreen/), as well as critical RCE vulns, might affect the stock price too.

Possibly related: I've got a Fortigate 100D sitting here, unused in ages, if anyone wants to cover shipping etc.

Fortinet Backdoor Found in FortiGate Firewalls - Rhino Security Labs

Security researchers uncover hard coded SSH Fortinet backdoor vulnerability in FortiGate enterprise firewalls.

Rhino Security Labs
Show threadgrimmwareFeb 8, 2024
@tim_lavoie @GossiTheDog @BleepingComputer strangely enough you're not really selling the Fortigate ;)
Show threadloucoveyFeb 7, 2024
@GossiTheDog @BleepingComputer I’m still trying to figure out what the problem was with toothbrushes that needed fixing with an internet connection.
Show threadRenée BurtonFeb 7, 2024
@GossiTheDog @BleepingComputer I am glad that I was skeptical enough when I saw the story come through yesterday and didn't amplify.... figuring the DDOS dudes would sort it out...indeed they did. I wonder how many posts from yesterday were deleted today? Lol.
Show threadTaggart Feb 6, 2024
@GossiTheDog Aw dang, thanks for sharing this. But the archive.is link doesn't actually let you read the story. It's obscured even in that form by other text.
Show threadWouter HindriksFeb 6, 2024
@mttaggart @GossiTheDog just scroll down past the nag message.
Show threadLesley Carhart Feb 6, 2024
@GossiTheDog aggggggg
Show threadBillFeb 6, 2024

@GossiTheDog OH NO! I thought it was so funny. Oh well.

"Sir, we've been hacked!"

"Who? The Russians? The Chinese? Aliens?"

"Three million toothbrushes."

Show threadBen AvelingFeb 6, 2024
@GossiTheDog I want to believe!
Show threadBen AvelingFeb 6, 2024
@GossiTheDog I mean, sure, it's supposedly twice the size of Mirai... but that's not a red flag or anything is it?
--edit--
Did I say twice? Probably about 5 times larger. If true, this would be one of the world's biggest known botnets, but that wasn't the headline?
Show threadSharkberryFeb 6, 2024
@GossiTheDog suddenly smart toothbrushes are not a joke anymore (or are they even more hilarious?)
Show threadMichał "rysiek" Woźniak · 🇺🇦Feb 6, 2024

@GossiTheDog oh man I fell for it. Thanks for the fact check.

Interesting though how easily lots of people got fooled on this one. One part of this is how gullible we all are (well, not you I guess), but the other part I think is that we came to *expect* this kind of stuff to happen in a world saturated with IoT devices.

Show threadTobias FiebigFeb 7, 2024
@rysiek @GossiTheDog While we're at it... can we start curbing the toothbrush-shaped routers that are Mikrotik and their UDP based speedtests, please... :-| Those are like... 10g "unsolicited inbound UDP"-as-a-Service. -.-'
Show threadjesterchen42Feb 7, 2024
@rysiek Again: is it really fake? The given article states something different: https://social.tchncs.de/@jesterchen/111886824793344385
jesterchen42 (@[email protected])

@[email protected] But the article states: "Das Beispiel, das wie ein Hollywood-Szenario daherkommt, hat sich wirklich so zugetragen." which tanslates to "this hollywood-like scenario really happened." 🤔

Mastodon
Show threadMichał "rysiek" Woźniak · 🇺🇦Feb 7, 2024
@jesterchen seems at least sus. One source, not other confirmation.
Show threadPlay Ball and Fight FascistsFeb 7, 2024

@GossiTheDog

Saw this first upon popping on this evening, followed by multiple posts about the "toothbrush botnet" - thanks for getting the word out.

Show threadpirate moo 🐮Feb 7, 2024

@GossiTheDog

I'm totally ok with it. I laughed so hard. Rotnet and DilDoS made my day.

Show thread0ddj0bbFeb 7, 2024
@GossiTheDog the german in the archive link seems to indicate the example actually happened though.
Show threadZedFeb 7, 2024
I'm more appalled by the idea of a Java-based OS than a toothbrush-based botnet.
Show threadExpertenkommision CyberunfallFeb 6, 2024

@GossiTheDog

but Fortinet said!!!

Show threadThom.Feb 7, 2024
@expertenkommision_cyberunfall @GossiTheDog 'fortihole' 👌
Show threadAdam BarnettFeb 6, 2024
@GossiTheDog At this point, I can enjoy the three million toothbrush botnet story whether it's true or not, and I don't know what that says about me.
Show threadBilly SmithFeb 6, 2024

@dreadpir8robots @GossiTheDog

Some stories are too good to check. :D

Show threadnobodyFeb 6, 2024
@GossiTheDog It wasn't the toothbrush... was it? :D
Show threadJohn Philip BellFeb 6, 2024

@GossiTheDog

That won't have the impact that's needed to lead to change...

Now, when a million online personal massage devices get turned into a botnet...

That will shake up the industry. 🤪

Show threadK. Ryabitsev-Prime 🍁Feb 6, 2024
@GossiTheDog I mean, it does sound a bit unlikely because I've seen bluetooth brushes, but certainly not ones with builtin wifi.
Show threadRogersFeb 6, 2024
@monsieuricon @GossiTheDog And even if some toothbrushes had wifi, I guess very few would have them directly exposed to the internet so they could be hacked.
Show threadHoward Chu @ SymasFeb 7, 2024
@rogers @monsieuricon @GossiTheDog the toothbrushes wouldn't need to be hackable from the internet. They need only be on the same LAN as a previously infected Windows PC, for example.
Show threadprozacchiwawaFeb 7, 2024
@hyc @rogers @monsieuricon @GossiTheDog i could absolutely believe the company itself having them load configuration from an insecure head-end service.
Show threadRogersFeb 7, 2024
@hyc @monsieuricon @GossiTheDog Yes. But then it would take some time to get the number up to three million hacked devices without anyone noticing.
Show threadNeil Carpenter Feb 7, 2024
@hyc @rogers @monsieuricon @GossiTheDog That would suggest a) a related botnet of, let's say, one million PCs (spitballing average household size at ~3 people with a smart toothbrush per person), b) really, a much, much larger PC botnet because it's unlikely that even 1% of homes have this hypothetical brand of smart toothbrush, and c) that the additional volume of traffic from 3 million low-power devices is meaningful when you have a botnet with 100,000,000 PCs in it.
Show threadHoward Chu @ SymasFeb 7, 2024

@neilcar @rogers @monsieuricon @GossiTheDog good points. A bit moot now since the whole story never actually happened.

They'd make a good persistence vector tho; no one's going to suspect them and you'd never run an antivirus on them. Reminds me of back in my Atari ST days, I w̶r̶o̶saw a virus that resided in the keyboard microcontroller. It would survive a reset and reinstall itself on the first keypress / kbd interrupt.

Show threadNeil Carpenter Feb 7, 2024

@hyc @rogers @monsieuricon @GossiTheDog In the hypothetical toothbrush case, I think it's much more likely that the well was poisoned -- I would posit an attack against the manufacturer's poorly-secured CI/CD pipeline, perhaps via by an unpatched Jenkins vulnerability, enabling an attacker to ship a firmware update with an embedded backdoor.

This should give us pause when we consider enabling autoupdate for our smart hygiene appliances.

Show threadDenys DmytriyenkoFeb 6, 2024
@monsieuricon @GossiTheDog ah, rats, I already pleaded allegiance to the SkyNet... somebody please make it so!
Show threadjesterchen42Feb 6, 2024
@GossiTheDog But the article states: "Das Beispiel, das wie ein Hollywood-Szenario daherkommt, hat sich wirklich so zugetragen." which tanslates to "this hollywood-like scenario really happened." 🤔