em360tech image

3 million smart toothbrushes have reportedly been hijacked by hackers and turned into a botnet in a bizzare distributed denial of service (DDoS) attack that took down a Swiss company’s website for several hours. 

According to a report by the Swiss newspaper Aargauer Zeitung, the attack saw hackers compromise toothbrushes and flood the company’s website with bogus traffic and overwhelming its capacity.

While no particular brands were mentioned in the report, the compromised toothbrushes were reportedly running Java, a popular language for Internet of Things (IoT) devices. Once infected, this global network of malicious toothbrushes launched their attack. 

Normally, the toothbrushes would have used their connectivity for tracking and improving user oral hygiene habits. But after a malware infection, this connectivity could be used to turn the toothbrushes into botnet weapons and flood a company’s network with false traffic. 

Botnet in the bathroom 

While details are still emerging, the incident serves as a stark reminder of the ever-expanding threat landscape as the IoT becomes increasingly embedded in our daily lives. 

"Smart" devices like toothbrushes may now be over 10 years old, but they can still bypass some of today’s modern cyber defences if they’re connected to a network of devices that hackers can get their hands on. 

Stefan Zuger, director of system engineering in the Swiss office at Fortinet, said, "Every device that is connected to the Internet is a potential target – or can be misused for an attack."

For years, experts have raised concerns about the feasibility of using Bluetooth-based toothbrushes for a large-scale DDoS attack, due to their limited bandwidth and connectivity range.

As James Clapper, former US Director of National Intelligence, told ZNET in 2016: "Devices, designed and fielded with minimal security requirements and testing, and an ever-increasing complexity of networks could lead to widespread vulnerabilities in civilian infrastructures and US government systems."

Smart devices that once seemed harmless and disconnected from the digital ecosystem are now potential entry points for cybercriminals. The implications are vast, not only for individual privacy and security but also for national infrastructure and economic stability.

Did the Toothbrush botnet attack really happen?

Despite initial reports, no major cybersecurity news outlets or security firms have confirmed the attack. The original Swiss report lacks crucial details like specific toothbrush brands, attack methods, and victim information, making it impossible to verify.

Experts also question the ability of smart toothbrushes, typically using Bluetooth Low Energy (BLE) with limited internet capabilities, to generate enough traffic for a large-scale DDoS attack.

Kevin Beaumont, a highly-respected cybersecurity veteran known as GossitheDog online, was quick to claim the story wasn’t true after the first reports came out. Others such as Robert Graham, and ErrataRob on Twitter/X, also questioned the legitimacy of the original report. 

Smart toothbrushes botnet initial report
Original headline posted by Aargauer Zeitung, translated into English.

Experts question the feasibility of smart toothbrushes, typically using low-power Bluetooth connections, generating enough traffic for a large-scale DDoS attack.

Most smart toothbrushes are Bluetooth Low Energy enabled rather than connecting by WiFi, although some do have that capability. However, it’s feasible that three million could have been compromised by hackers.  is highly debatable.

Without firm evidence, it appears that this may be a case of a cyber incident that has simply been lost in translation or exaggerated. 

Still, the significance of the risk is clear. Millions of people around the world are living in homes filled with insecure IoT devices, and the implications could be catastrophic if hackers get their hands on them.