Kevin BeaumontFeb 6, 2024

The three million toothbrush botnet story isn’t true.

Here’s the original source of the story: https://archive.is/2024.01.30-203406/https://www.luzernerzeitung.ch/wirtschaft/kriminalitaet-die-zahnbuersten-greifen-an-das-sind-die-aktuellen-cybergefahren-und-so-koennen-sie-sich-schuetzen-ld.2569480

It’s simply a made up example. It doesn’t exist. It starts talking about NoName Ddosia, too, which also isn’t toothbrushes.

Show threadK. Ryabitsev-Prime 🍁Feb 6, 2024
@GossiTheDog I mean, it does sound a bit unlikely because I've seen bluetooth brushes, but certainly not ones with builtin wifi.
Show threadRogersFeb 6, 2024
@monsieuricon @GossiTheDog And even if some toothbrushes had wifi, I guess very few would have them directly exposed to the internet so they could be hacked.
Show threadHoward Chu @ Symas
@rogers @monsieuricon @GossiTheDog the toothbrushes wouldn't need to be hackable from the internet. They need only be on the same LAN as a previously infected Windows PC, for example.
Feb 7, 2024 at 2:21amWeb
Show threadprozacchiwawaFeb 7, 2024
@hyc @rogers @monsieuricon @GossiTheDog i could absolutely believe the company itself having them load configuration from an insecure head-end service.
Show threadRogersFeb 7, 2024
@hyc @monsieuricon @GossiTheDog Yes. But then it would take some time to get the number up to three million hacked devices without anyone noticing.
Show threadNeil Carpenter Feb 7, 2024
@hyc @rogers @monsieuricon @GossiTheDog That would suggest a) a related botnet of, let's say, one million PCs (spitballing average household size at ~3 people with a smart toothbrush per person), b) really, a much, much larger PC botnet because it's unlikely that even 1% of homes have this hypothetical brand of smart toothbrush, and c) that the additional volume of traffic from 3 million low-power devices is meaningful when you have a botnet with 100,000,000 PCs in it.
Show threadHoward Chu @ SymasFeb 7, 2024

@neilcar @rogers @monsieuricon @GossiTheDog good points. A bit moot now since the whole story never actually happened.

They'd make a good persistence vector tho; no one's going to suspect them and you'd never run an antivirus on them. Reminds me of back in my Atari ST days, I w̶r̶o̶saw a virus that resided in the keyboard microcontroller. It would survive a reset and reinstall itself on the first keypress / kbd interrupt.

Show threadNeil Carpenter Feb 7, 2024

@hyc @rogers @monsieuricon @GossiTheDog In the hypothetical toothbrush case, I think it's much more likely that the well was poisoned -- I would posit an attack against the manufacturer's poorly-secured CI/CD pipeline, perhaps via by an unpatched Jenkins vulnerability, enabling an attacker to ship a firmware update with an embedded backdoor.

This should give us pause when we consider enabling autoupdate for our smart hygiene appliances.