Hackers could have enslaved 3 million toothbrushes for DDoS attack

WTF?! Another incident illustrates the inherent dangers of making every household item internet-connected. Three million smart toothbrushes were reportedly infected by hackers and enslaved into a botnet used in a DDoS attack on a company in Switzerland – though not everyone believes it really happened.

The story comes from Swiss newspaper Aargauer Zeitung, which states that the unnamed Swiss company targeted by the army of smart toothbrushes was taken down for several hours, costing it millions of dollars. Update (Feb 9): Confirmed, the attack never happened.

The report states that the toothbrushes – the brand isn't named – were vulnerable due to their Java-based OS. While a lot of toothbrushes use Bluetooth for tracking cleaning routines, several also support Wi-Fi connections for their various functions.

Aargauer Zeitung refers to data from cybersecurity company Fortinet in the article. "Every device that is connected to the Internet is a potential target – or can be misused for an attack," said Fortinet system engineer director Stefan Züger.

While such an incident sounds plausible, some believe the story isn't true, including cybersecurity expert Kevin Beaumont. Züger seems to be describing some hypothetical scenarios in the article; however, the publication does state that "The [toothbrush] example, which seems like a Hollywood scenario, really happened that way." (translated).

Real or otherwise, the danger of insecure IoT devices isn't to be underestimated. Züger notes how cybercriminals are constantly on the lookout for vulnerabilities in connected devices. To find out how long it takes for a device to be hijacked, Züger and his team connected a computer to the internet without any protection. It took less than 20 minutes for it to be taken over.

Real or hypothetical, there have been plenty of other stories about webcams, baby monitors, smart fridges, etc. being taken over by hackers, reminding us to ensure our devices are up to date.

Last month brought news of what was also suspected to be an IoT-device hijack: a connected LG washing machine that was using 3.6GB of data per day. Ultimately, the most likely explanation turned out to be a reporting inaccuracy on the part of the Asus router interface tool.