A few days ago, I saw an interesting story circulating among my cybersecurity connections on LinkedIn. I was skeptical. In fact, toothbrushes were NOT used for a DDoS attack. However, the possibility remains.

This lie was called out on Mastadon and Twitter/X before several publishers revised their story. I am posting one publisher’s revision to the story, not the original article. This article gives common sense advice.

Friends have previously shared with me real incidents of hacking via kitchen appliances and thermostats (Mr Robot, anyone?), which prompts reflection as to why a toothbrush needs an internet connection. Forcing tech where it does not belong doesn’t benefit anyone. This is why so many in the tech industry are critical of “smart appliances,” which come with overstated benefits and genuine security risks. [Shoots toaster]

Recently, the movie theater above my gym was “hacked” by the MeshSecMeshSec Islamist group . Some {{{Palestine Supporters}}} altered signs to covery their absurdly ironic message, ‘Stupid Jews, you are all terrorist killers…. So we will destroy you all. G-d is with us.’ It appears that self-awareness is not a common trait among black hats.

Here is the link to the original ZDNET story: https://www.zdnet.com/home-and-office/smart-home/3-million-smart-toothbrushes-were-not-used-in-a-ddos-attack-but-they-could-have-been/ Read their advice and remember to always use MFA with login.

3 million smart toothbrushes were not used in a DDoS attack after all, but it could happen

[UPDATED] What's next, malware-infected dental floss? But seriously: It's a reminder that even the smallest smart home devices can be a threat. Here's how to protect yourself.
Written by Steven Vaughan-Nichols, Senior Contributing Editor; Feb. 7, 2024 at 4:46 p.m. PT

It sounds more like science fiction than reality, but Swiss newspaper Aargauer Zeitung reported that approximately three million smart toothbrushes were hijacked by hackers to launch a Distributed Denial of Service (DDoS) attack. These innocuous bathroom gadgets—transformed into soldiers in a botnet army—allegedly knocked out a Swiss company for several hours, costing millions of euros in damages.

Or, did they? Sources, such as Bleeping Computer and Bleeping Media, found it hard to credit this toothsome tale. And now the security company Fortinet, which helped give the original story credence, is admitting that mistakes were made. 

In a note to ZDNET, a Fortinet representative said, "To clarify, the topic of toothbrushes being used for DDoS attacks was presented during an interview as an illustration of a given type of attack, and it is not based on research from Fortinet or FortiGuard Labs. It appears ...  the narrative on this topic has been stretched to the point where hypothetical and actual scenarios are blurred." 

The story had claimed that the compromised toothbrushes were running Java, a popular language for Internet of Things (IoT) devices. Once infected, a global network of malicious toothbrushes supposedly launched their successful attack. 

The repurposed toothbrushes supposedly accomplished this by flooding the Swiss website with bogus traffic, effectively knocking services offline and causing widespread disruption.

Although this story wasn't real, the episode underlines the ever-expanding threat landscape as the IoT becomes increasingly embedded in our daily lives. "Smart" toothbrushes are now 10 years old. Devices that once seemed harmless and disconnected from the digital ecosystem are now potential entry points for cybercriminals. The implications are vast, not only for individual privacy and security but also for national infrastructure and economic stability.

As Stefan Zuger, director of system engineering in Fortinet's Swiss office, said, "Every device that is connected to the Internet is a potential target – or can be misused for an attack."

Anyone paying close attention to cybersecurity has known about this threat for years. As James Clapper, former US Director of National Intelligence, told us in 2016: "Devices, designed and fielded with minimal security requirements and testing, and an ever-increasing complexity of networks could lead to widespread vulnerabilities in civilian infrastructures and US government systems."

It's no longer "could." We're now living in homes filled with insecure IoT devices.  

Why? As Mark Houpt, data center operator DataBank chief information security officer, explained, it's because many IoT devices are inherently insecure for two key reasons: Neglect and the lack of an interface upon which to add security and hardening measures. I mean, exactly how do you control your toothbrush's security setting? How do you add an antivirus program to your refrigerator? 

You can't. 

So, what can you do? 

Well, for starters, as Zuger said, you can automatically update all your devices whenever an update is available "You can't update enough."

You should also never charge your device at a public USB port. That same port that charges your gadget can also infect it. 

I also suggest paying attention if your device suddenly starts losing power faster than normal. Sure, it may just be an aging battery, but it also could be malware running in the background. 

You should also be wary of public Wi-Fi connections. The same connection that lets you watch a TikTok may also be loading malware on your smartphone. 

While at your home, I urge you to set up a firewall on your Internet connection. If an attacker can't get to your smart toilet, it can't infect it. And, boy, isn't a malware-infected toilet an ugly thought? 

Finally -- and I'm quite serious about this -- don't buy an IoT-enabled device unless you have a real need for it. A smart TV? Sure, how else are you going to stream the Super Bowl? But a washing machine, an iron, a toothbrush? No. Just say no. 

As we forge ahead into an increasingly connected future, let's ensure that our digital hygiene is as robust as our dental hygiene.