Of Fortinet, The Evil Toothbrush Botnet And Duplicate CVEs

Someone At Fortinet Is Having A Bad Week

You have probably heard tell of the three million toothbrush botnet by now, as the headline is too ridiculous to easily forget.  There’s just one small problem, the attack described by Fortinet never happened.  In the original story a representative of Fortinet blamed millions of electric toothbrushes programmed with Java for taking down a Swiss company with a DDoS attack.  That is perfectly possible, a variety of IoT devices from toasters to toilets have been used for this exact purpose.  To describe an IoT device as insecure is redundant at this point, even those that receive security updates for a few years before being abandoned by the manufacturer are more than likely to have hard coded vulnerabilities that can’t be patched.

It is good to remind people just how horrific IoT devices’ security is but a security company inventing an attack which never happened is a wee bit fishy and we can only hope it was a misunderstanding.  You can probably keep that electric toothbrush by the way, as they are almost exclusively Bluetooth and can only make local connections, they can’t talk to the internet.  That does mean they never receive security patches, but that’s the IoT for you

If that wasn’t bad enough, Forticlient also accidentally re-released two critical vulnerabilities with a rating of 10 out of 10 for their FortiSIEM product.  While that looks terrifying, both of these vulnerabilities were discovered and patched last year.  That is perhaps a good reminder to make sure you did patch them though.

It’s not a good week to be Fortinet at all.