I have no idea why https://cyberplace.social/@GossiTheDog/111886558855943676 doesn't lead to that later post in the thread. Is there a way to guarantee that readers get the entire thread in these things? If people can only see the start, that's not much better than what Twitter does.
676 (original post) does lead to 733 (screenshot of clarification) but the latter is about the sixth reply down the list. Both links guarantee readers see the entire thread, but they would have to know that they need to scroll for additional context.
First reply is from the OP, and the visual "thread" (vertical line) on the left side is broken. Click on that reply ("The toothbrush thing has gone viral despite it being total bollocks.").
Now again scroll down through posts by the OP until the "thread" on the left side breaks. Click on that last reply ("Fortinet also declined to comment to me.").
Finally, the target post appears as a reply to that ("Fortigate have issued me a statement.")
Navigational issue. One might ask what is the difference between the follow-ups that show up automatically and the ones that don't show up until you navigate. I don't know.
>Was nun von der Fortinet-Zentrale in Kalifornien als «Übersetzungsproblem» bezeichnet wird, hat sich bei den Recherchen noch ganz anders angehört: Schweizer Fortinet-Vertreter haben bei einem Gesprächstermin, bei dem es um aktuelle Bedrohungslagen ging, den Zahnbürsten-Fall als reale DDoS-Attacke geschildert.
Translation:
>What the Fortinet headquarters in California is now describing as a "translation problem" sounded very different during the research: Swiss Fortinet representatives described the toothbrush case as a real DDoS attack during a meeting to discuss current threat situations.
And
>Der Text wurde Fortinet vor der Publikation zur Verifizierung vorgelegt. Der Satz, wonach es sich um einen realen Fall handle, der sich wirklich so zugetragen hat, wurde nicht beanstandet.
>The text was submitted to Fortinet for verification before publication. The sentence stating that this was a real case that actually happened was not objected to.
Truth seems not to be part of their business model
1) You can have translation errors between people within a company.
2) Just because it was submitted for verification prior to publication doesn't mean that it was read, or read thoroughly. Or heck, maybe it was read by the very employees who mistakenly thought it was real. Plausible if it was, as indicated in your comment, a german article.
3) Violating a software license has nothing to do with "truth", but lawfulness. These would probably be highly correlated traits in many individuals, but they certainly don't have to be.
The linked archived article says quite specifically that while the example sounds like a hollywood story it really did happen.
I don’t doubt that the article is wrong or they misunderstood their source though, since it’s just a random local news article about the dangers of ‘cybercrime’ which was apparently used as a source by these larger publications.
This fake story is propagated in anticipation of significant changes
coming into effect in Europe this year wrt the E.U. "Cybersecurity
Act" and "Cyber Resilience Act" which specifically targets IoT device
security. In the US you will have "Cybersecurity Improvement Act" with
serious consequences for non-compliant devices under EO 14028. Expect
more "March of the Killer Toothbrushes" stories soon.
Many relevant goals of the IoT Cybersecurity Improvement Act of 2020 [1] have already been implemented. Executive Order E.O. 14028 of May 12, 2021 "Improving the Nation's Cybersecurity" is substantially similar in requirements. NIST in particular got called out for work and already implemented "IoT Cybersecurity Guidance" [2]. Mostly part of "Trustworthy Network of Things". [3] Also [4].
I wish we had a longer form discussion framework, as I'd be curious to
know what USians think of how this is going - but anyway thanks very
much for those useful links on how it's working stateside.
Either replying here works, or profile has a fairly simple to solve contact if you really want to ask me those questions.
Tend to fairly regularly check comments from at least the last week to see if anybody responded.
Notably, while following the situation, and knowing a bit about the IoT world, not deeply involved in microcontrollers or IoT design. Mostly aerospace personally. Some experience with Wifi and Bluetooth development for Windows and Android, with a bit of Arduino, yet that's the perspective for discussion / questions.
Can refer you to a few NIST folks and some NIST mailing lists.
The point of linking to that article is that it's not plausible that a 3-million-device botnet attack would be first reported as a one-paragraph example at the beginning of a general cybersecurity article in a regional German publication.
The translation is correct regarding the articles claim of the stories legitimacy.
To expand on the initial dramatized story:
> Sie steht zu Hause im Badezimmer, doch sie ist Teil einer gross angelegten Cyberattacke. Die elektrische Zahnbürste ist mit Java programmiert, und unbemerkt haben Kriminelle darauf eine Schadsoftware installiert – wie auf 3 Millionen anderen Zahnbürsten auch. Ein Befehl genügt, und die ferngesteuerten Zahnbürsten rufen gleichzeitig die Website einer Schweizer Firma auf. Die Seite bricht zusammen und ist für vier Stunden lahm gelegt. Es entsteht ein Schaden in Millionenhöhe.
The article claims that an electric toothbrush with Java-based software was the target of malware. Criminals then leveraged this malware to execute a ddos from the toothbrushes against the website of a swiss business.
The article further claims this led to a downtime for around five hours with expect damages in the millions.
>The article claims that an electric toothbrush with Java-based software was the target of malware
The chef's kiss moment of this story would be that it was Log4J vuln that was unable to be patched because why would they make updates to a toothbrush. I'm guessing that would complete somebody's bingo card.
Who had DDoS attack, Botnet, IoT Device, Java, Log4J?
Yes. Or we would end up comparing multiple news stories, presumably at least partly fact-checked (but you never know these days), against a single post on a random social network.
Proof? This is just some random person claiming it's not true but they link to an article which explicitly states that it is in fact true. Am I missing something?
Kevin Beaumont is not exactly a random person in this instance, he's a pretty experienced writer on cybersecurity.
He elaborates farther down the thread:
> A botnet of 3 million toothbrushes would be twice the size on Mirai's various botnets put together, and a MAJOR infosec event. The person they were interviewing has only worked there about a year, and Fortigate staff don't appear to know about this botnet.
Edit to add:
Imagine you read on TechMeme that room-temperature superconductors are now confirmed to exist. But when you trace the story back, the original citation is an article in the Tucson Regional Business Journal about how scientific research benefits innovation. Would you think "wow, big scoop for the TRBJ!" Or something more like, "I bet that business reporter misunderstood something they heard."
Or, similarly, the letter to the editor in NEJM which caused decades of mistrust of MSG -- and which, depending on who you listen to, might or might not have been a deliberate hoax.
I believe the Mastodon OP mistranslated the German article, which states:
> Das Beispiel, das wie ein Hollywood-Szenario daherkommt, hat sich wirklich so zugetragen.
Correct translation:
> This example, which seems like a Hollywood scenario, actually happened.
But as you can see, if you miss the last part, it's easy to get the translation wrong.
(Interestingly, the Swiss article doesn't directly quote Fortinet as a source, but as an expert opinion. Maybe something was lost in translation there when the story went viral?)
I use a couple of TP-Link smart power plugs and one of them occasionally wants to access the internet to get the time from an NTP server. Since I block all their internet access this one goes crazy and brings my DNS server (custom written in Python) down to a halt. Just blocking him in the firewall of the AP would probably also not make him behave and he'd still pollute the RF spectrum. Happens rarely, though. Kicking him off of the WiFi and letting him reconnect makes him behave again.
Funnily enough that happens also when you run the original article through Google translate:
> She's in the bathroom at home, but she's part of a large-scale cyber attack. The electric toothbrush is programmed with Java, and criminals have unnoticed installed malware on it - like on 3 million other toothbrushes.
(In German, toothbrushes are female, like all brushes.)
If he were a good boy, he would listen to what is told to him by the DHCP server and use the local NTP server instead (not only is it closer but it's also fed by PPS-accurate GPS data).
I was wondering because the toothbrushes I know use BT(LE) and aren't connected to the Internet.
However, some light bulbs do have WIFI and sure one day could be exploited. And there are definitely more light bulbs than toothbrushes around here.
Because I started thinking about which device (nuke vs. lead bullet) was more capable of delivering computational malware, as that would lend itself to more entertaining pun.
But I eventually decided that wasn't a fruitful vein of humour, so I pared it back to mere mention of the weapon.
I.e., even though I no longer jad a reason to prefer the bomber over the pistol for the pun, I stayed with it out of mere joke-planning inertia.
Why mention just one or the other in my original comment?
Well, because, as you probably know, brevity is the soul of wit.
You're not thinking like a modern *aaS company. I'm waiting for subscription-based pacemakers. $9.95/mo for up to 60 beats per minute or $19.95 for unlimited heartbeats. Sign up for a year now and get an additional 3 months free :)
"We hope this message finds you with your beats still strong and rhythmic. It is with a heavy heart (pun fully intended) that we, at PulsarTech, your trusted provider of the world's first Internet-connected pacemaker, announce the discontinuation of our heartbeat-as-a-service (HaaS) platform. Yes, it’s time to say goodbye to those sweet, life-sustaining firmware updates and cloud-synced palpitations."
I'm hoping that in this hypothetical there is an OpenHeart group that shared software and build scripts for self-hosting the heartbeat cadence functionality.
Here's the link to the actual article instead of someone's social media post that contains a screenshot that contains an unclickable link to the article:
Disclaimer:
Maybe the image is clickable or there's a clickable link in the social media post for most people, but because Mastodon doesn't show posts without javascript enabled I can only ever see whatever shows up in the RSS feed.
This is not the original article, it's just an article taking up and spreading the claim. The original article[1] they linked is from a German newspaper in Switzerland, predating the article from tomshardware.com by a whole week.
While part of me wishes the story were true, as it’s just hilarious thinking about _a toothbrush_ carrying out someone else’s ill will. I am glad it’s not.
Your credit / debit card (and probably your SIM card) run Java[1]. So did most cellphones from the early 2000s[2]. I can believe that some IoT devices run chips more powerful than your average phone from 20 years ago.
JavaCard has actually lost a lot of its popularity for ICC applications like credit cards and SIMs. It's hard to get good numbers from the industry, which tends towards secretive, but these days SELP and MULTOS seem more popular.
Of course the availability of multiple OS for these devices reinforces the idea that you can run a lot of things on some very low power devices these days.
At the same time, it's important to understand that JavaCard is a very constrained version of Java. Most JavaCard platforms have no support for IP networking, which would make it an unlikely source of DDoS (besides the fact that it requires relatively specialized developer tooling).
> Most JavaCard platforms have no support for IP networking, which would make it an unlikely source of DDoS
I'm not claiming that you could use a smart card for DDoS (the idea seems absurd, but somebody is probably going to prove me wrong one of these days), merely that if some version of Java runs on a smartcard, I don't find it that unimaginable for a toothbrush to have a good enough chip to run Java, perhaps with enough resources for a TCP / IP stack. Something equivalent in performance to an old, WAP-capable phone that also ran Java ME, perhaps.
You can, today, buy ARM chips with support for executing simple Java Bytecode directly. The Jazelle[0] earchitecture is a primary intended to accelerate JVMs[1] and is still found on some devices. There also were some other initiatives around embedded devices on the past to get Java running on smart cards and more.
AFAIK that's because granting access to bluetooth potentially allows the app to track your location (via bluetooth beacons). As a result both iOS and Android show the location warning just in case the app wants to do something malicious. Just because you see the warning doesn't mean the app is trying to ship your location to China.
On iPhone, bluetooth is presented to the user as a location check. Big data companies will if you're near your toothbrush then you're at home. And they can figure out where "home" is by other tracking methods.
>Big data companies will if you're near your toothbrush then you're at home. And they can figure out where "home" is by other tracking methods.
You don't need bluetooth to do that. By keeping track of your public/private ip (which requires no special permissions), and correlating it to time of day, it's fairly easy to infer whether you're home or not. If there's a network you're regularly connected to during the evening and weekends, it's highly probable that you're "home".
Things like this combined with AI are the scariest version of the future, I think. If we ask a very capable AI to solve climate change, what if it decides to solve it by creating something like Stuxnet for human infrastructure?
Peter Watts novel Starfish, a stunning quarter century old now, has exactly that problem as part of its side plot. In a chilling detail relevant to today, it posits a black-box trainable neural network (biological in the book but an irrelevant difference overall) tasked with solving some of the big issues, which makes subtle links and determinations in the model which eventually end up potentially disastrous for human kind.
3M (the Minnesota Mining and Manufacturing Company) makes many products but teethbrushes are not among them. However they are well equipped to satisfy all your PFOA and PFAS needs forever.
This viewpoint seems short-sighted. In the 1940s and 1950s, if somebody were skeptic of lead, you could've replied "Do you paint your home? Get your water from pipes in your house? What about having gas in your car?"
One wears a lead vest when getting x-rays at the hospital or as protective equipment when operating on nuclear reactors.
Moving beyond eating lead doesn't mean not using it intelligently when the risk profile is low. Also, lead-based glass is also an important component of the world's high-efficiency perovskite solar cells.
Many of the industrial products materials we wouldn't want to eat, this just means we have to be better about recycling.
Not sure why x-rays are still being used when there appears to be better and safer alternatives... Specially at the dentist where an inexperienced person shoots them at your head... Thank God they cover your chest with lead though....
> Not sure why x-rays are still being used when there appears to be better and safer alternatives
It all has to do with how medical billing is structured. Xrays were already cheap before the current model was put in place so they are the go to method for diagnostic. Even though there are better ubiquitous options available, price fixing keeps those out of reach for triage and simple diagnostics.
> 'PFAS bad' is about as sophisticated a viewpoint as 'nuclear bad'.
Is PFAS denialism going to be as bad as climate change denialism is today, or tobacco disease denialism used to be? I'm tired of all these people refusing to acknowledge widespread scientific consensus. (Assuming you're not a 3M or DuPont astroturfer, of course.)
I really don't think even 1 million toothbrushes exist that have any IP connectivity at all, let alone three million all being pwned. I would assume that if anyone had sold that many Wi-fi models, one of the big manufacturers would have some, and as far as I'm aware, none do, they all use Bluetooth. Not sure I buy that a bluetooth toothbrush can DDOS a website.
I mean in retrospect, I can imagine it would be almost impossible to find all those toothbrushes and hack them remotely, unless they were all connected to a central server that would have been hijacked, so yeah.
[0]: https://news.ycombinator.com/item?id=39277990