A viral story that claimed three million electric toothbrushes were compromised and used to conduct a distributed denial of service (DDoS) attack has prompted a backlash amid claims that mistranslation blurred the lines between a hypothetical and real-world scenario.
Reports in English media stemming from an article in Aargauer Zeitung last week seemed to indicate that Fortinet's director of systems engineering, Stefan Züger, had claimed millions of internet-connected toothbrushes had been used to carry out an attack against a Swiss company.
“The electric toothbrush is programmed with Java, and criminals have unnoticed installed malware on it, like on three million other toothbrushes,” the translations read.
“One command is enough and the remote-controlled toothbrushes simultaneously access the website of a Swiss company. The site collapses and is paralyzed for four hours. Millions of dollars in damage is caused.”
A key issue with the story highlighted by critics was that there’s no evidence any such attack ever took place. No official Fortinet research on the scenario could be found online, and this prompted a myriad of security professionals to question the veracity of the reporting.
Security researcher Kevin Beaumont was among the first to question the accuracy of the story, calling out news outlets that covered the report as well as threat intel firms.
You can now go and look at the news outlets who covered this - some big - and threat intel firms who briefed on it - some big - and realise nobody did any basic checks at all.February 7, 2024
ITPro can confirm it received press briefings from several cyber security vendors offering insight on the story along with complementary research and statistics on IoT-related security vulnerabilities.
In a post on LinkedIn, Rik Ferguson, VP of security intelligence at Forescout, echoed Beaumont’s sentiment on the coverage, calling the story “BS”.
“Are you seeing all the articles, coverage and discussion about the 3 million-strong botnet of compromised toothbrushes (toothbrushi?),” he said.
“It's BS, and it is directly harmful to the ongoing cause of cyber security. This is one BIG "wolf" moment.”
Ferguson noted that, based on reading the original coverage, the situation referenced by Züger was meant “simply as an example of what could happen” rather than offering insight into a tangible, real world scenario.
Notably, he pointed out that the situation could have been a case of mistranslation, or a transcription error on the part of the journalist.
Discover how Windows 11 Pro devices can help drive your business forward
DOWNLOAD NOW
“The article is admittedly slightly opaque, which I think may have arisen from a transcription error or misunderstanding during an interview.
"’Das Beispiel, das wie ein Hollywood-Szenario daherkommt, hat sich wirklich so zugetragen’ translates as speaking about both an ‘example’ and something ‘that actually happened’.”
While Fortinet has yet to respond to ITPro requests for comment, it told other publications that the “topic of toothbrushes being used for DDoS attacks was presented during an interview as an illustration of a given attack type”.
Fortinet insisted that this scenario was “not based on research” from the firm or its FortiGuard Labs division and also pointed toward translation issues.
“It appears that due to translations the narrative on this topic has been stretched to the point where hypothetical and actual scenarios are blurred."
Some industry vendors have nonetheless seized the opportunity to poke fun at Fortinet in the wake of the coverage. A blog post from Malwarebytes titled “How to tell if your toothbrush is being used in a DDoS attack” simply reads “it’s not”.
