News Three million malware-infected smart toothbrushes used in Swiss DDoS attacks — botnet causes millions of euros in damages

[Admin]

Around three million smart toothbrushes have been infected by hackers and enslaved into botnets. They caused millions of Euros in damages for a Swiss company, according to a newspaper report.

Three million malware-infected smart toothbrushes used in Swiss DDoS attacks — botnet causes millions of euros in damages : Read more

 

[PEnns]

Somebody remind please, again: Why does something like a toothbrush need to be connected??

People are really asking for trouble with this kind of "let's connect everything...because it's so cool"!

 

[peachpuff]

Somebody remind please, again: Why does something like toothbrush need to be connected??

People are really asking for trouble with this kind of "let's connect everything...because it's so cool"!

To get on the toothbrush leader board... duh.

 

[Phaaze88]

'Smart' toothbrushes... holy crap, humanity.
Insert that saying about, 'because we can, doesn't mean we should'.

Replace the word smart with dumb.

 

[chaz_music]

In general if the product name has "smart" as part of its description, you should be very wary.

The amount of engineering effort needed to make IoT devices truly secure on the Internet is substantial, and many times the engineering team is rather green and not knowing what they don't know. Add to this that many companies will outsource their product development to design groups only based upon cost of the project, you end up with catastrophes like this story. Even larger companies like HP have had problems with IoT printers and they had to go through growing pains to get the security right, with lots and lots of reuse of code, checks, etc. And most design teams are only cost focused, and don't want to add the cost of using more mature RF/networking products with the included code stacks such as by TI, Laird, Qualcomm, NXP, etc.

So far, I have read about or myself found compromised devices in nearly all market areas: garage door openers, refrigerator, printers (why have Internet printing??!), smart doorbell cameras with off site recording, inexpensive network switches, smart LED lights (often color changing types), cars, RVs, phones (my goodness, that just makes you want to say damnit!), and now toothbrushes. And the hacked system vector is not always WiFi, as there are many other RF systems with another popular one to goof up being Bluetooth. The first automotive Bluetooth systems could be easily compromised, with one car type being used in a proof of concept in which the car was controlled by a passing car and the brakes were locked up while the car was traveling at highway speeds, triggering the anti lock brakes. And think about the Hyundai and Kia vehicles that can easily be stolen with a USB device. Same stuff.

One of my biggest scare was not even with an RF based device but instead an Ethernet connected SCADA device from many years ago. It had a huge installed base, and it was sending data back on forth through the network using ... ASCII. Yep. And it was SCADA. Used in power plants, substations, transformers, generators, ...

So the culprits are:
1. Businesses only counting R&D and BOM costs, with virtually no consequence for poor security quality.
2. Complacent and less knowledgeable engineers who are completely in charge of making serious decisions about cost vs. security.
3. Designing IoT tech into devices and leaving the update complexity up to the user. In my opinion, the user should never be required to be in the technology loop to make their devices safe. This is not the same as when it is used based upon common knowledge (driving a car, drinking hot coffee).

The expected long term fix for industrialized nations is going to be more safety agency regulations, So think of UL in the US and CE/IEC in Europe. These protect the consumer from poorly designed products, but these always add cost (no free lunch). I hate going in that direction because it will cause many clever products to go away, and others to never come to market.

 

[Murissokah]

Not trying to pick on Java, but why do you need Java on a toothbrush?

 

[Giroro]

Not trying to pick on Java, but why do you need Java on a toothbrush?

That ones easy: Because it's cheaper to have first-year computer scientists ridiculously overbuild the system with off the shelf demo code than to hire electronics engineers who know how to write efficient firmware.
The toothbrush probably has (and maybe needs) a multi-core ARM CPU as well, because you can just pass that extra $1 in hardware costs off to the customer in the $300+ asking price I know Philips/Oral-B charges for the smart version of a toothbrush with near identical brushing performance to the $30 non-smart version.

 

[newtechldtech]

Somebody remind please, again: Why does something like toothbrush need to be connected??

People are really asking for trouble with this kind of "let's connect everything...because it's so cool"!

to sell them expensive 10 times the cost. it is all abut the $ and fooling the masses

 

[Giroro]

I sort-of understand how a marketing executive could want the company to sell a Bluetooth toothbrush.
App tracking enabling access to a customer's sellable information, a branded billboard app icon on the users phone, etc etc. All the usual reasons to have an app. You can sell it to customers as having a fancy timer or whatever. I kinda get it.

But why in the world would they pay engineers to enable wifi in the thing? It's probably built into their SoC, but like this has to be enabled by accident, right?
This is some kind of backdoor thing?
What's the selling point, revenue stream, or perceived value to the customer? You already have all you can get from Bluetooth, so why spend money on dev time to add in menus and get the wifi working?

 

[voodoochicken]

Watch out for those IoT Swiss Army Knives

 

[evdjj3j]

Smart toothbrushes for dumb people.

 

[USAFRet]

But why in the world would they pay engineers to enable wifi in the thing? It's probably built into their SoC, but like this has to be enabled by accident, right?

1. It costs nothing for BT + WiFi vs just BT

2. The code library used for this connection is almost certainly copied from elsewhere, not written and verified inhouse.

 

[35below0]

Somebody remind please, again: Why does something like toothbrush need to be connected??

People are really asking for trouble with this kind of "let's connect everything...because it's so cool"!

Because if our product doesn't have the latest gimmick, or only has 3, it will not sell as well as our competitor's who list 5.

That's why everything has to have internet in it. Enough people will buy into it, and that means greater sales. Even when the feature is really dumb, and people eventually realize it's stupid and get off the bandwagon, it still pays off to include it.

Like Dara Ó Briain quipped: "We're up to seven! blades on our razors now."
Never mind what the seventh does. It outsells the six-blade one. lol

 

[USAFRet]

 

[Alvar "Miles" Udell]

I don't know what's more surprising: Java based OS, or the fact they sold THREE MILLION of these things.

But seriously, given the number IoT devices and the fact that they can do real damage if they're activated en masse like this, it shows how long past time it is for the US and EU to require the use of one open source, secured OS for all IoT devices, because as it stands they're about as big of a national security risk as the War Thunder forums.

 

[USAFRet]

it shows how long past time it is for the US and EU to require the use of one open source, secured OS for all IoT devices, because as it stands they're about as big of a national security risk as the War Thunder forums.

No.

The needs for a toothbrush are different than a door lock, which are different than a security camera.

One OS To Rule Them All would result in the same crap we have now, where there are things that are not needed for Device A vs Device B.

Lazy devs and proj managers would just grab the whole stack. Exactly as it is now.

 

[DavidLejdar]

"...to keep their devices, firmware, and software updated; monitor their networks for suspicious activity; install and use security software; and follow network security best practices."

Well, yeah... but most users are probably overwhelmed with a lot of the mentioned. And in this case, the updates could have been the problem, couldn't they? I mean, likely that the connectivity design is one of those, where the device uses a Wifi network (or app connection) to call home, isn't it? And how to efficiently command 3 million toothbrushes, if not through their server, possibly in a form of an automatic update?

 

[hotaru251]

...again...why are we making stuff "smart" that should stay dumb?

Its not hard to brush your teeth.

 

[DavidC1]

@chaz_music Considering significant amount of spying is done by the government and is aimed at it's citizens, more regulation will make it worse.

They sell these things in the name of having an app installed in the Smartphone to track your brushing habits and send suggestions to improve them, or something. I have a Sonicare, but I don't care for the "Smart" stuff, and that way it costs me a lot less.

It takes you 10 mins of research to find out how to brush and use your toothbrush properly. And then all you need is to develop it as a habit, no need for a "Smart" device to remind you.

In reality like @Giroro suggested, at best it sells your data, and at worst further profiles you for future purposes.

There are lot of people who have more money than they should. So whether it's $100 or $300 doesn't matter to them.

 

[wbfox]

...again...why are we making stuff "smart" that should stay dumb?

Its not hard to brush your teeth.

What about the app that tells me where my teeth are? I need a navigational aid!

 

[hotaru251]

I need a navigational aid!

step 1: look into bathroom mirror
step 2: see your teeth
step 3: congrats!

 

[eldakka1]

The source report says this sizable army of connected dental cleansing tools was used in a DDoS attack on a Swiss company’s website. The firm’s site collapsed under the strain of the attack, reportedly resulting in the loss of millions of Euros of business.

... and gaining excellent dental health for the company.

 

[nameless0ne]

This story was posted on reputable sites but it does not pass the smell test. The original story came from a German source and it seemingly contains even more dubious claims. But even this Toms story seems improbable. An Internet connected toothbrush seems overkill and I've never heard of one. It would be very big and too expensive to sell 3M units. "Smart" toothbrushes are at best bluetooth connected that have dedicated apps.

 

[USAFRet]

This story was posted on reputable sites but it does not pass the smell test. The original story came from a German source and it seemingly contains even more dubious claims. But even this Toms story seems improbable. An Internet connected toothbrush seems overkill and I've never heard of one. It would be very big and too expensive to sell 3M units. "Smart" toothbrushes are at best bluetooth connected that have dedicated apps.

https://www.amazon.com/Oral-B-Replenishment-Electric-Toothbrush-Brushing/dp/B0831JZBL4

$99
"Oral-B Guide is like a fitness tracker, for your mouth, and is Wi-Fi and Bluetooth enabled – download the Oral-B Connect app for personalized brushing insights and to track your oral health progress overtime "

Its not so much that the toothbrush is "connected to the internet", but rather it is connected to the app (or charging station), which IS connected to the internet.

 

[Colif]

I wonder if app tracks wear and starts suggesting a new toothbrush when its worn out. That would likely be real reason the app exists.

Why is everything smart these days... they made by dumb humans who aren't perfect and don't see the problems they make.

Shame its only those who understand tech that don't want smart everything.