Round 3 in the toothbrush DDoS debacle!

The story so far.

Round 1

The newspaper Aargauer Zeitung published an article claiming that three million IoT-connected toothbrushes had launched a distributed denial-of-service attack against a Swiss company, causing its website to be knocked over for four hours.

Hundreds of other news outlets retold the story, assuming it was true. But, it wasn’t true.

Where had Aargauer Zeitung got the story from? Well, they quoted a security researcher at Fortinet.

Round 2

After members of the cybersecurity industry (including yours truly) mocked or downright debunked the story as “total bollocks”, Fortinet stirred into action and issued a statement blaming a translation issue.

Round 3

So where are we now?

Well, ding ding! It’s Round 3, and Aargauer Zeitung has come out of its corner fighting.

In a new statement on its website, the newspaper claims that Fortinet did present the toothbrush incident as real and shared specific details of what occurred.

German newspaper cutting

Here’s what the newspaper has said (computer-translated for us who don’t understand German):

What is now described by the Fortinet headquarters in California as a “translation problem” has listened to the research in a completely different way: Swiss Fortinet representatives have described the toothbrush case as a real DDoS attack at an appointment, which dealt with current threat situations.

Fortinet provided specific details: information on how long the attack paralysed the website of a Swiss company; a magnitude of how high the damage caused was. Out of consideration for their customer, Fortinet did not want to reveal which company it was.

The text was presented to Fortinet for verification before publication. The sentence that it was a real case that really happened was not obsessed.

The global management of Fortinet has now rowed back with its statement, which was sent to various international media. The company has failed to send it to CH Media. We have not yet received another statement from Fortinet.

Ouch.

Will Fortinet return for Round 4, or is that a knockout punch?