After hundreds of media outlets worldwide repeated the false claim that a botnet of three million toothbrushes attacked a Swiss company, the cybersecurity firm at the centre of the story has now issued a statement:
“To clarify, the topic of toothbrushes being used for DDoS attacks was presented during an interview as an illustration of a given type of attack, and it is not based on research from Fortinet or FortiGuard Labs. It appears that due to translations the narrative on this topic has been stretched to the point where hypothetical and actual scenarios are blurred.”
Fortinet went on to say that its experts have “not observed Mirai or other IoT botnets target toothbrushes or similar embedded devices.”
I can imagine how a Fortinet’s researcher might have regaled a journalist with tales of how IoT devices like webcams hijacked into botnets for DDoS attacks (after all, this has happened.)
However, giving the journalist a juicy hypothetical example of millions of smart toothbrushes taking down a Swiss company is playing a dangerous game.
I’m not surprised that journalists might seize the story, and as we’ve seen, other news outlets repeat it without double-checking its truth.
A more experienced spokesperson would have made it clear that the toothbrush DDoS attack example was hypothetical and hadn’t actually happened.
Failing that, Fortinet had plenty of time (the original article was published on January 30) to contact the Swiss newspaper and correct the report, or post a clarification on social media debunking the story as the hysteria spread in the press.
But Fortinet didn’t, until skeptical voices in the cybersecurity community questioned the story.
Ironically, the firm’s researchers have published some genuinely interesting proof-of-concept research in the past on the toothbrush topic – albeit hacking Bluetooth-enabled toothbrushes to mess with brushing time rather than knock a company’s website offline.