The answer is: No, but you’d be forgiven for having believed that was the case since a viral news story made the rounds earlier this week claiming it was so.
The story in question was published by a Swiss newspaper, Aargauer Zeitung, and claimed that three million electric toothbrushes had been tied into a botnet, which was then used by cybercriminals to carry out a financially damaging DDoS attack on a Swiss company’s website. The source of the story were researchers from Fortinet, a well-known security company based in California.
This story, which sounded just crazy enough to be true, was subsequently recycled by numerous English-speaking outlets, including Tom’s Hardware, ZDNet, and others. There was a certain logic to it. Cybercriminals can be very creative when it comes to using smart hardware to build malicious networks; the Mirai cybercriminals notably used over 100,000 smart devices to build one of the most notorious botnets ever. Why not use a smart toothbrush or two?
The problem, however, is that not all smart devices are built alike. The toothbrush story unraveled after security experts on X began chiming in about the ridiculousness of this scenario. Some said that it was basically impossible, given that smart toothbrushes connect to Bluetooth, not the internet. A story from 404 Media cited skeptical security experts, who called into question the validity of the narrative.
Now, the story has been officially deemed false. According to Fortinet, the Swiss journalists who initially spread the story misinterpreted their researchers during an interview, which then caused U.S. outlets to uncritically pick up the false narrative and further circulate it. In a statement shared with ZDNet, Fortinet clarified that the toothbrush incident had not actually happened, and was more of a thought experiment than anything:
“To clarify, the topic of toothbrushes being used for DDoS attacks was presented during an interview as an illustration of a given type of attack, and it is not based on research from Fortinet or FortiGuard Labs. It appears that due to translations the narrative on this topic has been stretched to the point where hypothetical and actual scenarios are blurred.
Covering cybersecurity as a journalist can be tricky. Many stories are pitched as research by security companies, and those companies are incentivized to elaborate a bit in their research findings to get more attention for their business. Indeed, the Swiss newspaper at the center of the toothbrush drama has now come out and blamed Fortinet for falsely claiming that the story was real. The paper claims, in a statement posted to its website, that the excuse of a “translation error” is, itself, made up:
[Translated from German by Google Translate] What the Fortinet headquarters in California is now calling a “translation problem” sounded completely different during the research: Swiss Fortinet representatives described the toothbrush case as a real DDoS at a meeting that discussed current threats…
Fortinet provided specific details: information about how long the attack took down a Swiss company’s website; an order of magnitude of how great the damage was. Fortinet did not want to reveal which company it was out of consideration for its customers.
The text was submitted to Fortinet for verification before publication. The statement that this was a real case that really happened was not objected to.
Gizmodo reached out to Fortinet for more information on how this tall tale got so much circulation and will update our story if it responds.