Someone At Fortinet Is Having A Bad Week
You have probably heard tell of the three million toothbrush botnet by now, as the headline is too ridiculous to easily forget. There’s just one small problem, the attack described by Fortinet never happened. In the original story a representative of Fortinet blamed millions of electric toothbrushes programmed with Java for taking down a Swiss company with a DDoS attack. That is perfectly possible, a variety of IoT devices from toasters to toilets have been used for this exact purpose. To describe an IoT device as insecure is redundant at this point, even those that receive security updates for a few years before being abandoned by the manufacturer are more than likely to have hard coded vulnerabilities that can’t be patched.
It is good to remind people just how horrific IoT devices’ security is but a security company inventing an attack which never happened is a wee bit fishy and we can only hope it was a misunderstanding. You can probably keep that electric toothbrush by the way, as they are almost exclusively Bluetooth and can only make local connections, they can’t talk to the internet. That does mean they never receive security patches, but that’s the IoT for you
If that wasn’t bad enough, Forticlient also accidentally re-released two critical vulnerabilities with a rating of 10 out of 10 for their FortiSIEM product. While that looks terrifying, both of these vulnerabilities were discovered and patched last year. That is perhaps a good reminder to make sure you did patch them though.
It’s not a good week to be Fortinet at all.
Fortinet, who was attributed as the source of the article, has not published any information about this attack and has not responded to repeated requests for comment from BleepingComputer since the "toothbrush botnet" story went viral yesterday.