By BECKY RUTHERFORD
Los Alamos
For the Los Alamos Daily Post
Who knew the internet might contain false information?? Lessons learned last week after false reports that 3 million smart toothbrushes were compromised and used in a DDoS attack went viral!
The story of 3 million “hacked” smart toothbrushes used in a DDoS attack quickly went viral last week, only to be proven false.
What is a DDoS attack? DDoS Attack stands for “Distributed Denial-of-Service (DDoS) Attack” and it is a cyber attack in which the attacker floods a server with internet traffic to stop users from accessing online services and sites.
Botnets are the primary way DDoS attacks are carried out. The attacker will compromise computers or other devices and install a malicious piece of code, or malware, called a bot.
These infected computers form a network called a botnet. The attacker then instructs the botnet to overwhelm the victim’s servers and devices with more connection requests than they can handle. Botnets can be made of anything, from servers to … smart IoT (Internet of Things) connected smart toothbrushes!

So when the story of 3 million smart toothbrushes being used to form a botnet to DDoS a Swiss site last week went viral, you can imagine people were very interested. Circulating news stories all seemed to lack specifics, and I found out about this through a meme on social media. That’s how it goes!
The story originated from Fortinet (a cybersecurity company) appearing to attribute a cyber attack against a Swiss organization to a 3 million strong botnet built on smart toothbrushes. After some investigation with the company, it appears to have been a case of “lost in translation” with a German language article describing a possible attack, not an attack that had actually happened. It is still unclear how this confusion happened, but Fortinet claims it was meant to be an example of a possible attack, not an actual attack that had happened to one of their clients.
Most smart toothbrushes are Bluetooth rather than Wi-Fi so it is unlikely that 3 million could be compromised and used in such an attack.
The attack theory is certainly valid, and it is possible that a Wi-Fi enabled smart device (my smart crockpot for example) could be compromised and used to form a botnet and execute DDoS attacks.
Key takeaways from this…do you really need everything to be “smart” and connected to the internet? A smart TV is certainly useful, a smart coffee pot, washer, etc. is likely less so. By accumulating smart, internet connected devices, keep in mind that you are increasing your attack surface.
How can you protect your smart devices from attack?
- Keep your smart devices updated just like you would any other internet connected device. Software updates help to protect you from cyber attacks.
- Use strong passwords for all accounts, and don’t reuse them! If you reuse a password, you are leaving your other accounts using that password open to attack if the password is compromised.
- Use MFA (multi-factor authentication) on any accounts where it is offered. Physical keys (Yubikey, etc.), apps, or sms based MFA methods are all effective.
- Factory reset any old devices before getting rid of them.
- Check your routers, make sure you are not using the default password, and that you are using MFA if offered. Make sure you are updating your routers to protect them from vulnerabilities.
So as it turns out, 3 million smart toothbrushes were not hacked, and everything you read on the internet is, in fact, not true! But … it certainly could happen, so make sure you are protecting any smart devices you have, and keep in mind that everything you own doesn’t have to be smart. Sometimes dumb is better!


































