Have You #AVtweeps Heard About the One With the 3 Million Hacked Toothbrushes?

electric toothbrush

A few weeks ago, a Swiss newspaper story about “3 million hacked toothbrushes” went viral. I personally shared a link about the distributed denial-of-service (DDoS) attack with my cybersecurity coworkers via Teams message, prompting a number of comments and “Jurassic Park” memes. We all fell for it, but there is very little evidence that this massive IoT cyberattack ever even happened.

Other memes that resulted include:

And more here.

As it turns out, the story may have stemmed from a loss in translation. A Swiss researcher was talking about the Mirai botnet reaching new record numbers, including some toothbrushes, and somehow that turned into Oral B Star Wars.

Security researchers were quick to call BS on this topic, stating there was little to no supportive evidence. The Swiss expert claims they have evidence, but it doesn’t seem to add up to “three million hacked toothbrushes.” Usually when a story like this breaks, it is linked to a technical deep dive into how the cyberattack took place, or, in theory, one that could take place. “In theory” is not uncommon, because once a vulnerability is found in one IoT device, the security researchers want to naturally figure out if the same vulnerability can be found in other devices, or in this case, other Bluetooth-enabled toothbrushes. (They could call them BlueTooth-Brushes … or Blooth-Brushes … but anyway, back to my point.)

You may recall a few years ago when findings came out that some wireless presentation devices were vulnerable to cyberattacks. What shocked me and other #AVtweeps at the time was how little the different manufacturers communicated with each other about what turned out to be a shared OEM device vulnerability. Sara Abrons, rAVe [PUBS] editor-at-large, wrote a great article about it back in 2019.

Vulnerabilities like all of the above often begin as a hypothetical idea, often based on others’ research. If a phone can be hacked by Bluetooth and Java, why can’t a toothbrush, right? Then a researcher (aka hacker) reads the manuals and looks up the schematic drawings, maybe asks others who may have tried it before … (Wait a minute, that sounds a lot like some audiovisual programmers that I know! Hmm …)

Next, the security researcher often goes through a series of trials and errors in a lab environment to confirm the bug(s). They document their findings so that other researchers can follow steps to confirm it. This is known as “proven exploit,” but it does NOT mean that anyone has utilized this vulnerability to perform any attacks; it only means someone COULD, in theory, exploit the vulnerabilities. The researcher often shares the information with the manufacturer first, so they have time to patch it.

Conversely, a vulnerability that has been found to be “exploited in the wild” means the vulnerability has been used in a real-world cyberattack, by confirmed criminals or bad actors. These are the most dangerous vulnerabilities because they are not just hypotheticals, or proven exploits in the lab; they are out on the streets, so to speak, being used, often trending for months, or years at a time.

This in turn, causes more research, and more hackers looking for similar vulnerabilities, including in toothbrushes, and AV touch panels 😉, until they have exhausted all possibilities. Or have they?

With all of the legacy AV devices out there, sitting on not-so-managed switches, with open ports, its not hard to imagine a botnet like Mirai being installed onto them, and then being leveraged for a DDoS attack. But in my opinion, it’s just as likely that AV devices would be used as a gateway or pivot point to get to bigger servers, and/or for espionage. Cameras, microphones and occupancy sensors, oh my!

See related  April 9 is Identity Management Day

In closing, AV is IoT, and we need to continue the conversation — and research — around cybersecurity. I would like all AV manufacturers and resellers of AV products to please ask yourselves:

  1. Why does your audiovisual gear need any Bluetooth or Wi-Fi connections in the first place? 
  2. If I was a criminal or bad actor, could I exploit the wireless or Bluetooth? Has anyone tried? 
  3. Would it be in the best interest of security to have Wi-Fi or Bluetooth set to OFF, by default?