No, 3 million electric toothbrushes were not used in a DDoS attack

Update added below with Fortinet's statement confirming our reporting and a statement from CH Media, who originally reported on the attack.

A widely reported story that 3 million electric toothbrushes were hacked with malware to conduct distributed denial of service (DDoS) attacks is likely a hypothetical scenario instead of an actual attack.

Last week, Swiss news site Aargauer Zeitung published a story stating that an employee of cybersecurity firm Fortinet said 3 million electric toothbrushes had been infected with Java malware to conduct DDoS attacks against a Swiss company.

"The electric toothbrush is programmed with Java, and criminals have unnoticed installed malware on it - like on 3 million other toothbrushes," reads the article.

"One command is enough and the remote-controlled toothbrushes simultaneously access the website of a Swiss company. The site collapses and is paralyzed for four hours. Millions of dollars in damage is caused."

The story is dramatic and definitely newsworthy, if accurate, and began sweeping through other technology news sites yesterday, with numerous publications covering the alleged attack without verifying the story.

However, there is one problem with the story—there is no record that this attack ever happened.

Fortinet, who was attributed as the source of the article, has not published any information about this attack and has not responded to repeated requests for comment from BleepingComputer since the "toothbrush botnet" story went viral yesterday.

A DDoS attack is when an attacker sends enough requests or data at a website to overwhelm its resources or bandwidth so that it can no longer accept requests from legitimate visitors, effectively making the site unusable.

This type of attack has been increasingly used by hacktivists to protest a country's or business's activities or by threat actors who use them to extort businesses.

To conduct these attacks, routers, servers, and IoT devices are hacked by brute forcing or using default passwords, or exploiting vulnerabilities.

Once a device is compromised, malware is installed to enlist it as part of their DDoS botnet and use it on attacks. These devices are then collectively used to launch powerful attacks against a specified target.

According to Statista, approximately 17 billion IoT devices are expected to be connected to the internet by the end of 2024, offering a massive footprint of devices that could potentially be recruited into DDoS botnets.

However, it is doubtful that 3 million electric toothbrushes would be exposed to the internet so that they could be infected with malware.

Instead, this was likely a hypothetical scenario shared by Fortinet with the newspaper that was misunderstood or taken out of context to create a story that is widely disputed by security experts.

Furthermore, electric toothbrushes do not connect directly to the internet but instead use Bluetooth to connect to mobile apps that then upload your data to web-based platforms. 

This means that a massive hack like this could only have been achieved through a supply chain attack that pushed down malicious firmware to the devices.

However, there is no record of this happening. If it did, it would be a much bigger story than a DDoS attack.

While a story of a toothbrush DDoS botnet taking down a site is amusing (and almost definitely untrue), it’s still a good reminder that threat actors would target any Internet-exposed device.

This includes routers, servers, programmable logic controllers (PLCs), printers, and web cameras.

Therefore, it is essential for any device exposed to the internet to have the latest security updates and strong passwords to prevent them from being recruited into DDoS botnets.
The good news is that it likely won't be your toothbrush, so keep brushing.

Update 2/7/24 5:45 PM ET: As expected, Fortinet told BleepingComputer that this was a hypothetical scenario and not a real attack.

"To clarify, the topic of toothbrushes being used for DDoS attacks was presented during an interview as an illustration of a given type of attack, and it is not based on research from Fortinet or FortiGuard Labs. It appears that due to translations the narrative on this topic has been stretched to the point where hypothetical and actual scenarios are blurred." - Fortinet.

FortiGuard Labs has also told BleepingComputer that they have not observed any IoT botnets targeting toothbrushes or similar embedded devices.

Update 2/8/24 12:10 PM ET: The author of the original 3 million toothbrush story at Aargauer Zeitung has shared a statement with BleepingComputer that says Fortinet specifically described the toothbrush DDoS attack as real.

Furthermore, CH Media, the parent company for Aargauer Zeitung, says they have not received a statement from Fortinet requesting a correction.