Millions of smart toothbrushes were reportedly used in a DDoS attack, leading to losses amounting to millions of Euros for an unnamed Switzerland-based company. While the cybersecurity community is skeptical, it brings the risks of internet-facing IoT devices to the fore and begs the question: are IoT devices security-wise ready to be connected to the internet?
As many as three million smart toothbrushes were reportedly converted into a massive botnet to carry out a distributed denial of service (DDoS) attack against a Swiss company. According to Aargauer Zeitung, the cyberattack took down the company’s website for several hours.
One wouldn’t be too far off if they think the peculiar incident is the work of a TV writer, given it reminds people of the episode of a popular TV show based in Silicon Valley wherein one of the characters accidentally uploads their company’s product library onto smart refrigerators in a stroke of luck. Except the characters are protagonists of the show.
In real life, however, threat actors supposedly could maliciously use the internet-facing toothbrushes to disrupt services, cause a downtime of five hours and incur losses of millions of Euros.
As with Internet of Things (IoT) devices, smart toothbrushes were reportedly based on Java and connected to the internet, which probably served as an entry point for malware. “Every device that is connected to the Internet is a potential target – or can be misused for an attack,” said Stefan Zuger, Fortinet (Swiss office) director of system engineering.
The victim company remains unnamed, as do technical details, i.e., whether the toothbrushes were connected via Wi-Fi or Bluetooth (which is typically the case).
See More: ChatGPT Leaks Sensitive User Data, OpenAI Suspects Hack
However, security researcher Kevin Beaumont has refuted the smart toothbrush-driven attack, going so far as to call it “bogus.” Understandable, given the limited details at hand makes it hard to believe.
Here are some of the details missing:
In any case, IoT devices can present disruptive, privacy and systemic risks. As Hexnode founder and CEO Apu Pavithran noted in a thought piece for Spiceworks, “The IoT landscape has expanded significantly from smart homes and medical devices to industrial systems and transportation networks. Unfortunately, many of these devices were developed with a primary focus on functionality and cost-efficiency, often overlooking robust cybersecurity measures.”
The number of connected IoT devices is expected to surge to 34.4 billion by 2032, according to Transforma Insights. So, it is imperative that organizations take the appropriate cybersecurity measures in IoT devices. European Cyber Resilience Act, the United States’ National Cybersecurity Strategy, and NATO’s Defense Innovation Accelerator for the North Atlantic are some regulatory measures seeking to plug the privacy and security holes in IoT devices.
How can organizations proceed with IoT security? Share with us on LinkedIn, X (Twitter), or Facebook. We’d love to hear from you!
Image source: Shutterstock
Asst. Editor, Spiceworks Ziff Davis
About The Author
More Stories
Anatomy of a Scam
Climate and Environmental Sustainability Within the IETF and IRTF
From Commitments to Practice: Internet Society’s Priorities for WSIS+20 Implementation