Did Hackers Use 3 Million Electric Toothbrushes in DDoS Attack?

As the number of internet-connected devices continues to soar, so does the potential attack surface for hackers.

PUBLISHED FEB 14, 2024

Cover Image Source: Oral-B IO toothbrush with the magnetic technology IO | Getty Images | Photo by Joan Cros

The viral news claiming that three million electric toothbrushes were hacked with malware to orchestrate distributed denial of service (DDoS) attacks appears to be further from the truth. Last week, Swiss news outlet Aargauer Zeitung published a report alleging that an employee from cybersecurity firm Fortinet had disclosed the infiltration of three million electric toothbrushes with Java malware, purportedly aimed at conducting DDoS attacks against a Swiss company.

Good journalism is important. >> "The unlikely 3 million electric toothbrush DDoS attack" https://t.co/6ZXctemgnR
— Rickey Gevers (@UID_) February 7, 2024

"Fortinet provided specific details: information about how long the attack took down a Swiss company's website, an order of magnitude of how great the damage was. Fortinet did not want to reveal which company it was out of consideration for its customers. The text was submitted to Fortinet for verification before publication. The statement that this was a real case that really happened was not objected to," he said.

"One command is enough, and the remote-controlled toothbrushes simultaneously access the website of a Swiss company. The site collapses and is paralyzed for four hours. Millions of dollars in damage is caused," he added.

DDoS attacks, which involve inundating a website or online service with a barrage of requests to render it inaccessible to legitimate users, have become increasingly prevalent in recent years. Such attacks are typically orchestrated by leveraging a network of compromised devices, including routers, servers, and Internet of Things (IoT) devices, which are commandeered to flood the target with traffic.

In this photo illustration, a hacker with an Anonymous mask on his face and a hood on his head uses a computer | Getty Images | Photo by Chesnot — Image Source: Getty Images | Photo by Chesnot

While the concept of using electric toothbrushes as part of a DDoS botnet is certainly attention-grabbing, it raises practical concerns about the plausibility of such an attack. Unlike traditional IoT devices, electric toothbrushes are not typically connected directly to the internet; instead, they typically communicate via Bluetooth with accompanying mobile apps for data tracking purposes.

This raises doubts about the feasibility of remotely infecting and controlling millions of toothbrushes without a direct internet connection. Moreover, the lack of documented instances of IoT devices being exploited on such a massive scale undermines the credibility of the reported incident.

No, 3 million electric toothbrushes were not used in a DDoS attack. Complete bullshit but funny. https://t.co/1S3UPDOP55
— Anonymous (@QuietRonin47) February 7, 2024

In response to the allegations, Fortinet said, "To clarify, the topic of toothbrushes being used for DDoS attacks was presented during an interview as an illustration of a given type of attack, and it is not based on research from Fortinet or FortiGuard Labs. It appears that due to translations the narrative on this topic has been stretched to the point where hypothetical and actual scenarios are blurred."

Fortunately, the likelihood of your toothbrush being recruited for such nefarious activities is minimal. So, while you continue to maintain your oral hygiene, ensure your internet-connected devices remain secure and protected.