The quick rundown of Bleepingcomputer’s questioning article: This originates from the news site Aargauer Zeitung, quoting an employee at Fortinet. Fortinet has never published details of said attack, no attacker brand or victim name mentioned. BC theorizes that the story editor was talking to someone at Fortinet and they were giving an example and the whole thing got lost in translation. Sounds reasonable. The source article appears to be behind a paywall, so this means people start repeating what other people have reported.
Doing my own research on this I tried to find a Wi-Fi connected toothbrush and failed, turned to AI and it claims this:
I don’t really believe AI at first glance, or even just one AI, but all I tried, everything I could find was Bluetooth and both Bard and Bing are coming up Bluetooth only. Bing’s Copilot could only find CNET talking about the Toothbrush DDOS attack although it did hallucinate a bit and tell me that a Bluetooth only product was Wi-Fi until questioned when it essentially said “oops, my bad.”
So, for this DDOS attack to happen we need to locate a Wi-Fi connected toothbrush… just because I can’t find one using Amazon, two AIs, etc doesn’t mean it isn’t there. For example there could be a Bluetooth toothbrush that connects to a BT gateway and goes out to the net… but that seems unlikely. BT toothbrushes talk to phones, phones phone in to servers that store your data for when the AI rises up to brush us all away.
Next this Wi-Fi connected toothbrush has to have sold over three million devices. Given that the population of this planet is what 8 billion now this means at least one in 2,666 people out there have this toothbrush. Low number, but high enough you would think you’d have some blog traffic and I’m pretty sure I would have received a press release announcing The World’s First Wi-Fi Connected Toothbrush With AI and FDA Approved… or some such in my daily deluge of emails.
I do not doubt the attack vector. IoT devices are notoriously not safe. However, to get to these devices a hacker has to get into your network (possible, yes) and then locate the device while it’s on, attack while it’s on, and then get out. This attack is much more suited for smart bulbs, voice assistants, anything that’s online all the time because you’ve usually got a window of time to get in, plant the seed, and get out.
A hacker sitting in your router for 24 hours waiting for you to brush your teeth and that one device to fire off a short data packet isn’t a good target… it’s the bulb that’s running some stripped down Linux you got for $8.99 on Amazon that never has had an update and checks in every five seconds to a server on the internet.
However, this is an opinion piece and negated if you can find a Wi-Fi (not Bluetooth) Toothbrush that’s sold over 3 million units let me know.
The closest I found was an Oral B product with an Alexa base, in which case the screaming “ALEXA HACKED!!!” should have been resounding throughout the internet.
I’m going to agree, not that you care what I opine, with Bleeping Computer and say that with the lack of details and the lack of a Toothbrush containing Wi-Fi, if it did happen it was a base unit containing Alexa that was breached. Those would be always on, might be considered part of the toothbrush…
But, maybe I’m wrong.