@GossiTheDog Aw dang, thanks for sharing this. But the archive.is link doesn't actually let you read the story. It's obscured even in that form by other text.
@barubary This is why it's important to find the original report, not the breathless hot take on the breathless hot take on the [....] original report. @GossiTheDog@mttaggart
This news article claims this happened, but my guess is that what actually happened is this:
Journalists talks with guy from fortinet, fortinet guy explains how a bot net of 3 million devices took down a Swiss companies site, Journalists asks what devices, fortinet guy talks about different things (like smart home devices / iot) and mentions that even a smart toothbrush could be part of such a bot net.
@GossiTheDog@Euph0r14@mttaggart@barubary@serghei I tried doing some rudimentary german language searches for big DDoS attacks against Swiss companies and didn’t find something which would fit (would have certainly been in the news?)
Nothing mentioning 3 million devices.
I did find ddos attacks from ~2016 against Major Swiss online shopping sites, so maybe this could be meant? They went down for a few hours and could have done millions in damages.
@mttaggart It’s exactly one line that’s invisible there. You can see it by switching to reader view. It’s the sentence about the damage going into millions, nothing else.
@GossiTheDog oh man I fell for it. Thanks for the fact check.
Interesting though how easily lots of people got fooled on this one. One part of this is how gullible we all are (well, not you I guess), but the other part I think is that we came to expect this kind of stuff to happen in a world saturated with IoT devices.
@rysiek@GossiTheDog While we're at it... can we start curbing the toothbrush-shaped routers that are Mikrotik and their UDP based speedtests, please... :-| Those are like... 10g "unsolicited inbound UDP"-as-a-Service. -.-'
Fortigate haven’t replied to my PR question about it. Given this is several times the size of the world’s biggest botnet, you’d think they’d have any evidence.. at all.
"completely made up" makes me wonder if this is some AI journalism that escaped into the wild without fact checking. But Stefan Züger does seem to be a real person so maybe not?
(Thanks for being on top of this - honestly when I saw the story I wondered what toothbrush company was putting wifi into their toothbrushes instead of bluetooth. And why would they do that? Should have realized it was nonsense.)
@GossiTheDog can you comment on the “$25M transferred because of deepfake” story from earlier this week? Because that just screams out as being bullshit.
@GossiTheDog While I typically dont like the German/Swiss tradition of authorizing/proofreading quotes in articles (something nobody else does as far as I know), here it clearly paid off.
@GossiTheDog if the toothbrush itself uses bluetooth, couldn't the vendor have instead had this connect to the users phone over bluetooth and not shared the stats with any third party website?
oh, that's right, then they couldn't charge you a subscription fee (I have not looked if they do but money is on that they do)
@GossiTheDog this whole thing started with a reporter misunderstanding that toothbrushes was an ad absurdum example of anything internet connected. It’s sort of like being forced to test if, by giving Grandma wheels, she would become a cart.
Even if there were WiFi toothbrushes, would there be so many of them using connectivity to create a massive botnet? Probably not.
Das globale Management von Fortinet hat nun zurückgerudert mit seinem Statement, das an verschiedene internationale Medien gesendet wurde. Dieses auch an CH Media zu schicken, hat die Firma unterlassen. Auch sonst liegt uns bisher kein weiteres Statement von Fortinet vor.
"Fortinet's global management has now backtracked with its statement that was sent to various international media outlets. The company neglected to also send this to CH Media. We have not yet received any further statements from Fortinet."
@GossiTheDog The article(s) have been maming the rounds through Swiss media the past week where everyone copied everbody else. It looked like it was good engagement until its reach got too wide. ¯_(ツ)_/¯
@GossiTheDog ”or similar embedded devices”. IoT literally means embedded devices.
I hate how ”IoT” botnets are always just routers. Grumpyoldguyyellsatclouds.jpg
@GossiTheDog To be fair, the second paragraph states: “This example, which looks like a Hollywood scenario, really happened.”, so the original journalist already got it wrong… But funny, how a very small, local Swiss newspaper caused this.
@GossiTheDog The weird thing is that in this linked interview, the Fortinet exec claims this really happened to some swiss firm and caused milions in damage during the 4h outage (which also just doesn't pass the smell test)
@weddige@heretical_i@GossiTheDog I cited the original story as my source. I read it in the original German and it read to me as citing a real example, not a theoretical one.
@GossiTheDog The article says it’s true, I’m not sure what translating tools are outputting but I am german so I will translate a section:
(Rough translation from me:)
The electric toothbrush runs on Java, and without any warning or notice Criminals were able to install malware on it - just like 3 million other toothbrushes. One command is enough and at the exact same time the remote controlled Toothbrushes request the website from a Swiss company. The site collapses and is unresponsive for 4 hours. Causing damages in the millions.
An example that sounds like a Hollywood scene, but which really happened.
(German OG below)
Die elektrische Zahnbürste ist mit Java programmiert, und unbemerkt haben Kriminelle darauf eine Schadsoftware installiert - wie auf 3 Millionen anderen Zahnbursten auch. Ein Befehl genügt, und die ferngesteuerten Zahnbürsten rufen gleichzeitig die Website einer Schweizer Firma auf. Die Seite bricht zusammen und ist für vier Stunden lahm gelegt. Es entsteht ein Schaden in Millionenhöhe.
Das Beispiel, das wie ein Hollywood-Szenario daherkommt, hat sich wirklich so zugetragen.
Here is a Fortinet PDF for the Is my toothbrush really smart? presentation by Axelle Apvrille at Troopers in 2018. I suspect this information is what they are referencing in the article.
@monsieuricon@GossiTheDog And even if some toothbrushes had wifi, I guess very few would have them directly exposed to the internet so they could be hacked.
@rogers@monsieuricon@GossiTheDog the toothbrushes wouldn't need to be hackable from the internet. They need only be on the same LAN as a previously infected Windows PC, for example.
@hyc@rogers@monsieuricon@GossiTheDog That would suggest a) a related botnet of, let's say, one million PCs (spitballing average household size at ~3 people with a smart toothbrush per person), b) really, a much, much larger PC botnet because it's unlikely that even 1% of homes have this hypothetical brand of smart toothbrush, and c) that the additional volume of traffic from 3 million low-power devices is meaningful when you have a botnet with 100,000,000 PCs in it.
They'd make a good persistence vector tho; no one's going to suspect them and you'd never run an antivirus on them. Reminds me of back in my Atari ST days, I w̶r̶o̶saw a virus that resided in the keyboard microcontroller. It would survive a reset and reinstall itself on the first keypress / kbd interrupt.
Add comment