Toothbrush Botnet Army Story Was Bogus

John Lister's picture

Reports that 3 million "smart" toothbrushes were hacked and weaponized turn out to be misleading at best. It appears to have been a mistranslation or misunderstanding.

The reports first surfaced last week in Switzerland and involved toothbrushes supposedly running the Java computer language. They were said to have been hacked and used for a distributed denial of service (DDoS) attack that caused huge disruption and financial costs to a targeted business.

Not every element of the story is as completely ridiculous as it might seem. "Smart" toothbrushes do exist, with connections to smartphone apps. In some cases, this works similar to a fitness tracker as a way for users to motivate and hold themselves accountable for brushing for the correct amount every day.

In other cases, the toothbrushes have sensors that can give real time feedback about whether the user is pressing too hard, with the toothbrush dropping rotation speed to compensate. The toothbrush can also have dedicated brushing modes, for example to protect gums, increase speed and pressure for whitening particular areas, or reduce pressure on sensitive teeth.

DDoS Does Happen

Meanwhile DDoS attacks with a huge network of hijacked devices certainly can be a major issue. They involve inundating a website or server with bogus requests for data until it can no longer deal with the sheer volume of traffic, which then cuts access to the site or service when a request is made by legitimate users. It's a tactic often used to damage a business or country, for commercial, political or military reasons.

The problem is that there's no evidence this attack actually happened. The original report, which quoted a cyber security company's specialist, was giving a hypothetical example to illustrate a wider point that even mundane devices could be used in such an attack.

Translation Troubles

What's not clear is whether this point was lost in translation from the original German text, or if the article was written (intentionally or otherwise) in an ambiguous manner. The cyber security company suggests the former. (Source:

Those who first doubted the story pointed out that few, if any, toothbrush manufacturers have sold three million units that would be vulnerable to the same security flaw.

They've also noted the key point that the toothbrushes don't connect directly to the Internet but rather via a Bluetooth connection to a smartphone app. To pull off such an attack, hackers would first need to compromise the phone, then install malware on the toothbrushes. (Source:

What's Your Opinion?

Did you see this story? Would you have believed it? Are concerns about smart tech vulnerability overhyped or underplayed?

Rate this article: 
Average: 5 (5 votes)


ronangel1's picture

Thank goodness for that I had to remove the batteries from my toothbrush after every use and put it in a locked Faraday cage under the bathroom sink!
I also no longer have the feeling every time I pass the electric toothbrush display in a store they are sending information to headquarters in some eastern European country about my movements!
But I am still wary about the Chinese-made ones as you never know!