Forget hacked toothbrushes, worry about the rise in real DDOS attacks

While toothbrush botnets have dominated the news this week, the real threat from firmware attacks continues and you would be foolish to ignore it. The attackers certainly aren’t.

A somewhat ridiculous story about three million hacked toothbrushes being used in a DDoS attack against an unnamed Swiss organisation went viral this week. The original newspaper report, in German, included comments from a Fortinet engineer regarding IoT devices being compromised as an example of firmware attacks.

As I reported for Forbes, the whole thing was likely a case of misinterpreted information with the facts getting lost in translation; this was confirmed in a statement by Fortinet today. But you can wipe the smile off your face as the danger of firmware compromise and botnet attacks cannot be simply brushed aside. Did you see what I did there?

DDOS attacks a genuine threat

Take the latest threat intelligence report from Netscout, for example. This reveals an increase in DDoS attacks of 30% from 2022 to 2023, with targets ranging from enterprise to government in nature. This is hardly surprising when there has been such a surge in the number of IoT devices, both in businesses and public services.

“These devices often have poor security, so cyber criminals can easily compromise them with botnet malware and use them to remotely launch a range of cyberattacks including DDoS attacks,” points out Christopher Conrad, a senior threat intelligence analyst at Netscout.

Such devices remain, largely, designed for convenience. Any nod to security is an afterthought at best or left up to the end user to bolt on. “Several IoT devices do not auto-update,” Conrad explains, “so old vulnerabilities stay in place for longer than they should. Having limited built-in security makes them vulnerable to attacks like botnet recruitment.”

Jake Moore, the global cybersecurity advisor at Eset, calls IoT devices a hacker’s playground. “The massive growth in IoT devices placed in the home and office is the perfect opportunity to create mayhem among users and businesses alike in the form of simple DDoS attacks,” he says. 

Related reading: Ransomware 2023 numbers: 100 million stolen records, $27.4 million average demand, attacks up by 84%

State-backed attacks on vulnerable devices

However, it should be pointed out that DDoS is not the only cyber-fruit. Nation-state-backed groups also look to attack vulnerable devices, be they at an organisation or an employee’s home, as a route to further compromise.

Recently, the FBI shut down a China-backed group that had been attacking routers in order to compromise US-based critical national infrastructure.

“Updating firmware is inherently even harder than updating software,” Roger Grimes, data-driven defence evangelist at KnowBe4 says.

“Most people have no clue what the patch status is on those devices, or any devices, running updatable firmware in their environments,” Grimes continues, concluding that “it’s no wonder Chinese hackers and many others specifically target devices running firmware. They are likely to find plenty of vulnerable targets and the people using them are very, very unlikely to notice that they’ve been compromised.”