This week, one of the biggest stories in cybersecurity was the existence of a huge botnet built out of toothbrushes, one that was reportedly capable of launching malware attacks.
The problem? It never happened, despite one security company, one newspaper and countless blogs saying it did.
The story about the hacked toothbrushes had all the makings of a good story: it’s tempting to laugh and say ‘told you so’ when it comes to devices that have no business being connected to the web?
The problem? The toothbrush malware story was so fake, so implausible, it boggles the mind that someone believed it in the first place. For one, most smart toothbrushes nowadays have Bluetooth, not WiFi, so they aren’t even Internet-connected. If they have apps, the toothbrushes still connect to your phone via Bluetooth, and then the app analyzes how well you’re taking care of your teeth. So, how did this story spread?
It was first the Swiss newspaper Aargauer Zeitung who reported that three million smart toothbrushes were used by hackers to create a botnet capable of launching a Distributed Denial of Service (DDoS) attack. Nowadays, that attack could actually be called “retro” – when hundreds and thousands of devices all try to access a service at the same time in the idea it will crash from overload – since most every service, product or online platform now has protection against this.
Anyway, the Aargauer Zeitung story was quickly picked up by a lot of tech blogs and gained huge traction on social media, especially on Reddit, thanks to a security company, Fortinet, that was quoted in the story. Since Fortinet is one of the oldest, most respected cybersecurity companies out there, journalists relied on that trust to report this story without checking twice. Or indeed, without engaging in any form of critical thinking, it seems. Even ZDNet ran with it, although a few hours later they amended it to reflect their error and include a statement from Fortinet.
“To clarify, the topic of toothbrushes being used for DDoS attacks was presented during an interview as an illustration of a given type of attack, and it is not based on research from Fortinet or FortiGuard Labs. It appears … the narrative on this topic has been stretched to the point where hypothetical and actual scenarios are blurred,” said a Fortinet representative in a note to ZDNet.
Still, how did this happen? Was it the fault of Fortinet exaggerating, as a security company is prone to do to justify the need for its products? Was it a careless journalist? Is it our collective exhaustion at how unsafe and easily hacked our smart devices are, so much so that we’ll believe anything at this point?
The truth is somewhere in the middle, probably, although when it comes to journalists we should cut them a bit of slack, considering they’re usually overworked and underpaid.
Still, the way this story has spread is bad and shows just how quickly disinformation spreads, even without thinking about ChatGPT-generated content.
The original story about the malware-infected toothbrushes had more holes than cheesecloth. As previously pointed out, smart toothbrushes do not have WiFi, so how could they go online?
Since they don’t have WiFi, how could they be compromised, considering what a short range Bluetooth has?
And if, indeed, it was possible to attack a toothbrush with Bluetooth, it would probably mean the attacker would be in someone’s bathroom already – and at that point the toothbrush’s owner would have way bigger problems.
Even until you get to questions like these, the fact that the original story did not name any toothbrush maker brand (*cough cough* Oral-B) or a company representative should have raised a lot more alarm bells.
Honestly, when I personally came across this story as it broke I chuckled to myself. Despite knowing it couldn’t possibly be true, I kinda hoped it was.
You see, after spending what I spent on my own smart toothbrush, the idea that it could have a secret life and a secret super-spy identity is kinda exciting. Seriously though, the smart features on most toothbrushes really do absolutely nothing – why did I pay so much for them?
If I could offer a bit of advice, other than “don’t believe everything you read online”, it would be save your cash and avoid “smart toothbrushes”.
Really, don’t be like me, just grab a toothbrush that has a pressure sensor. That’s the only thing your dentist wants from you.
Follow TechTheLead on Google News to get the news first.