The S in IoT Stands for Security: Did Three Million Smart Toothbrushes Lead to a DDoS Attack?
Millions of smart toothbrushes were reportedly used in a DDoS attack, leading to losses amounting to millions of Euros for an unnamed Switzerland-based company. While the cybersecurity community is skeptical, it brings the risks of internet-facing IoT devices to the fore and begs the question: are IoT devices security-wise ready to be connected to the internet?
- Reportedly, millions of smart toothbrushes were used in a cyberattack, leading to losses amounting to millions of Euros for an unnamed Switzerland-based company.
- While researchers discuss the validity of the claims, is it okay to assume that the dystopian future is almost here?
As many as three million smart toothbrushes were reportedly converted into a massive botnet to carry out a distributed denial of service (DDoS) attack against a Swiss company. According to Aargauer Zeitung, the cyberattack took down the company’s website for several hours.
One wouldn’t be too far off if they think the peculiar incident is the work of a TV writer, given it reminds people of the episode of a popular TV show based in Silicon Valley wherein one of the characters accidentally uploads their company’s product library onto smart refrigerators in a stroke of luck. Except the characters are protagonists of the show.
In real life, however, threat actors supposedly could maliciously use the internet-facing toothbrushes to disrupt services, cause a downtime of five hours and incur losses of millions of Euros.
As with Internet of Things (IoT) devices, smart toothbrushes were reportedly based on Java and connected to the internet, which probably served as an entry point for malware. “Every device that is connected to the Internet is a potential target – or can be misused for an attack,” said Stefan Zuger, Fortinet (Swiss office) director of system engineering.
The victim company remains unnamed, as do technical details, i.e., whether the toothbrushes were connected via Wi-Fi or Bluetooth (which is typically the case).
See More: ChatGPT Leaks Sensitive User Data, OpenAI Suspects Hack
However, security researcher Kevin Beaumont has refuted the smart toothbrush-driven attack, going so far as to call it “bogus.” Understandable, given the limited details at hand makes it hard to believe.
Here are some of the details missing:
- Victim
- Smart toothbrush company
- Threat actor
- Smart toothbrush connectivity
- The malware in question
In any case, IoT devices can present disruptive, privacy and systemic risks. As Hexnode founder and CEO Apu Pavithran noted in a thought piece for Spiceworks, “The IoT landscape has expanded significantly from smart homes and medical devices to industrial systems and transportation networks. Unfortunately, many of these devices were developed with a primary focus on functionality and cost-efficiency, often overlooking robust cybersecurity measures.”
The number of connected IoT devices is expected to surge to 34.4 billion by 2032, according to Transforma Insights. So, it is imperative that organizations take the appropriate cybersecurity measures in IoT devices. European Cyber Resilience Act, the United States’ National Cybersecurity Strategy, and NATO’s Defense Innovation Accelerator for the North Atlantic are some regulatory measures seeking to plug the privacy and security holes in IoT devices.
Update
Fortinet sent the following statement to multiple publishers after the story went viral: “To clarify, the topic of toothbrushes being used for DDoS attacks was presented during an interview as an illustration of a given type of attack, and it is not based on research from Fortinet or FortiGuard Labs. It appears that due to translations the narrative on this topic has been stretched to the point where hypothetical and actual scenarios are blurred.”
However, Aargauer Zeitung’s Ann-Kathrin Amstutz, who broke the original story, refutes Fortinet’s statement.
“What the Fortinet headquarters in California is now calling a ‘translation problem’ sounded completely different during the research: Swiss Fortinet representatives described the toothbrush case as a real DDoS at a meeting that discussed current threats -Attack described.
Fortinet provided specific details: information about how long the attack took down a Swiss company’s website; an order of magnitude of how great the damage was. Fortinet did not want to reveal which company it was out of consideration for its customers.
The text was submitted to Fortinet for verification before publication. The statement that this was a real case that really happened was not objected to.”
How can organizations proceed with IoT security? Share with us on LinkedIn, X (Twitter), or Facebook. We’d love to hear from you!
Image source: Shutterstock
MORE ON CYBERSECURITY
