Your credit / debit card (and probably your SIM card) run Java[1]. So did most cellphones from the early 2000s[2]. I can believe that some IoT devices run chips more powerful than your average phone from 20 years ago.
JavaCard has actually lost a lot of its popularity for ICC applications like credit cards and SIMs. It's hard to get good numbers from the industry, which tends towards secretive, but these days SELP and MULTOS seem more popular.
Of course the availability of multiple OS for these devices reinforces the idea that you can run a lot of things on some very low power devices these days.
At the same time, it's important to understand that JavaCard is a very constrained version of Java. Most JavaCard platforms have no support for IP networking, which would make it an unlikely source of DDoS (besides the fact that it requires relatively specialized developer tooling).
> Most JavaCard platforms have no support for IP networking, which would make it an unlikely source of DDoS
I'm not claiming that you could use a smart card for DDoS (the idea seems absurd, but somebody is probably going to prove me wrong one of these days), merely that if some version of Java runs on a smartcard, I don't find it that unimaginable for a toothbrush to have a good enough chip to run Java, perhaps with enough resources for a TCP / IP stack. Something equivalent in performance to an old, WAP-capable phone that also ran Java ME, perhaps.
You can, today, buy ARM chips with support for executing simple Java Bytecode directly. The Jazelle[0] earchitecture is a primary intended to accelerate JVMs[1] and is still found on some devices. There also were some other initiatives around embedded devices on the past to get Java running on smart cards and more.
While part of me wishes the story were true, as it’s just hilarious thinking about _a toothbrush_ carrying out someone else’s ill will. I am glad it’s not.
AFAIK that's because granting access to bluetooth potentially allows the app to track your location (via bluetooth beacons). As a result both iOS and Android show the location warning just in case the app wants to do something malicious. Just because you see the warning doesn't mean the app is trying to ship your location to China.
On iPhone, bluetooth is presented to the user as a location check. Big data companies will if you're near your toothbrush then you're at home. And they can figure out where "home" is by other tracking methods.
>Big data companies will if you're near your toothbrush then you're at home. And they can figure out where "home" is by other tracking methods.
You don't need bluetooth to do that. By keeping track of your public/private ip (which requires no special permissions), and correlating it to time of day, it's fairly easy to infer whether you're home or not. If there's a network you're regularly connected to during the evening and weekends, it's highly probable that you're "home".
Here's the link to the actual article instead of someone's social media post that contains a screenshot that contains an unclickable link to the article:
Disclaimer:
Maybe the image is clickable or there's a clickable link in the social media post for most people, but because Mastodon doesn't show posts without javascript enabled I can only ever see whatever shows up in the RSS feed.
This is not the original article, it's just an article taking up and spreading the claim. The original article[1] they linked is from a German newspaper in Switzerland, predating the article from tomshardware.com by a whole week.
The linked archived article says quite specifically that while the example sounds like a hollywood story it really did happen.
I don’t doubt that the article is wrong or they misunderstood their source though, since it’s just a random local news article about the dangers of ‘cybercrime’ which was apparently used as a source by these larger publications.
Proof? This is just some random person claiming it's not true but they link to an article which explicitly states that it is in fact true. Am I missing something?
I believe the Mastodon OP mistranslated the German article, which states:
> Das Beispiel, das wie ein Hollywood-Szenario daherkommt, hat sich wirklich so zugetragen.
Correct translation:
> This example, which seems like a Hollywood scenario, actually happened.
But as you can see, if you miss the last part, it's easy to get the translation wrong.
(Interestingly, the Swiss article doesn't directly quote Fortinet as a source, but as an expert opinion. Maybe something was lost in translation there when the story went viral?)
I use a couple of TP-Link smart power plugs and one of them occasionally wants to access the internet to get the time from an NTP server. Since I block all their internet access this one goes crazy and brings my DNS server (custom written in Python) down to a halt. Just blocking him in the firewall of the AP would probably also not make him behave and he'd still pollute the RF spectrum. Happens rarely, though. Kicking him off of the WiFi and letting him reconnect makes him behave again.
Funnily enough that happens also when you run the original article through Google translate:
> She's in the bathroom at home, but she's part of a large-scale cyber attack. The electric toothbrush is programmed with Java, and criminals have unnoticed installed malware on it - like on 3 million other toothbrushes.
(In German, toothbrushes are female, like all brushes.)
If he were a good boy, he would listen to what is told to him by the DHCP server and use the local NTP server instead (not only is it closer but it's also fed by PPS-accurate GPS data).
Kevin Beaumont is not exactly a random person in this instance, he's a pretty experienced writer on cybersecurity.
He elaborates farther down the thread:
> A botnet of 3 million toothbrushes would be twice the size on Mirai's various botnets put together, and a MAJOR infosec event. The person they were interviewing has only worked there about a year, and Fortigate staff don't appear to know about this botnet.
Edit to add:
Imagine you read on TechMeme that room-temperature superconductors are now confirmed to exist. But when you trace the story back, the original citation is an article in the Tucson Regional Business Journal about how scientific research benefits innovation. Would you think "wow, big scoop for the TRBJ!" Or something more like, "I bet that business reporter misunderstood something they heard."
Or, similarly, the letter to the editor in NEJM which caused decades of mistrust of MSG -- and which, depending on who you listen to, might or might not have been a deliberate hoax.
Yes. Or we would end up comparing multiple news stories, presumably at least partly fact-checked (but you never know these days), against a single post on a random social network.
The translation is correct regarding the articles claim of the stories legitimacy.
To expand on the initial dramatized story:
> Sie steht zu Hause im Badezimmer, doch sie ist Teil einer gross angelegten Cyberattacke. Die elektrische Zahnbürste ist mit Java programmiert, und unbemerkt haben Kriminelle darauf eine Schadsoftware installiert – wie auf 3 Millionen anderen Zahnbürsten auch. Ein Befehl genügt, und die ferngesteuerten Zahnbürsten rufen gleichzeitig die Website einer Schweizer Firma auf. Die Seite bricht zusammen und ist für vier Stunden lahm gelegt. Es entsteht ein Schaden in Millionenhöhe.
The article claims that an electric toothbrush with Java-based software was the target of malware. Criminals then leveraged this malware to execute a ddos from the toothbrushes against the website of a swiss business.
The article further claims this led to a downtime for around five hours with expect damages in the millions.
>The article claims that an electric toothbrush with Java-based software was the target of malware
The chef's kiss moment of this story would be that it was Log4J vuln that was unable to be patched because why would they make updates to a toothbrush. I'm guessing that would complete somebody's bingo card.
Who had DDoS attack, Botnet, IoT Device, Java, Log4J?
The point of linking to that article is that it's not plausible that a 3-million-device botnet attack would be first reported as a one-paragraph example at the beginning of a general cybersecurity article in a regional German publication.
I really don't think even 1 million toothbrushes exist that have any IP connectivity at all, let alone three million all being pwned. I would assume that if anyone had sold that many Wi-fi models, one of the big manufacturers would have some, and as far as I'm aware, none do, they all use Bluetooth. Not sure I buy that a bluetooth toothbrush can DDOS a website.
Things like this combined with AI are the scariest version of the future, I think. If we ask a very capable AI to solve climate change, what if it decides to solve it by creating something like Stuxnet for human infrastructure?
Peter Watts novel Starfish, a stunning quarter century old now, has exactly that problem as part of its side plot. In a chilling detail relevant to today, it posits a black-box trainable neural network (biological in the book but an irrelevant difference overall) tasked with solving some of the big issues, which makes subtle links and determinations in the model which eventually end up potentially disastrous for human kind.
I was wondering because the toothbrushes I know use BT(LE) and aren't connected to the Internet.
However, some light bulbs do have WIFI and sure one day could be exploited. And there are definitely more light bulbs than toothbrushes around here.
You're not thinking like a modern *aaS company. I'm waiting for subscription-based pacemakers. $9.95/mo for up to 60 beats per minute or $19.95 for unlimited heartbeats. Sign up for a year now and get an additional 3 months free :)
"We hope this message finds you with your beats still strong and rhythmic. It is with a heavy heart (pun fully intended) that we, at PulsarTech, your trusted provider of the world's first Internet-connected pacemaker, announce the discontinuation of our heartbeat-as-a-service (HaaS) platform. Yes, it’s time to say goodbye to those sweet, life-sustaining firmware updates and cloud-synced palpitations."
I'm hoping that in this hypothetical there is an OpenHeart group that shared software and build scripts for self-hosting the heartbeat cadence functionality.
Because I started thinking about which device (nuke vs. lead bullet) was more capable of delivering computational malware, as that would lend itself to more entertaining pun.
But I eventually decided that wasn't a fruitful vein of humour, so I pared it back to mere mention of the weapon.
I.e., even though I no longer jad a reason to prefer the bomber over the pistol for the pun, I stayed with it out of mere joke-planning inertia.
Why mention just one or the other in my original comment?
Well, because, as you probably know, brevity is the soul of wit.
118 comments
[ 3.2 ms ] story [ 185 ms ] thread[edit]
No, Java ME CLDC can run on devices with as little as 160kB of ROM and 8kb of RAM.
https://www.ebay.com/itm/300495374337
While not exactly, small, the first Java product was remote controller with touchscreen...
https://archive.org/details/Star7Demo
[1] https://en.wikipedia.org/wiki/Java_Card [2] https://en.wikipedia.org/wiki/Java_Platform,_Micro_Edition
Of course the availability of multiple OS for these devices reinforces the idea that you can run a lot of things on some very low power devices these days.
At the same time, it's important to understand that JavaCard is a very constrained version of Java. Most JavaCard platforms have no support for IP networking, which would make it an unlikely source of DDoS (besides the fact that it requires relatively specialized developer tooling).
I'm not claiming that you could use a smart card for DDoS (the idea seems absurd, but somebody is probably going to prove me wrong one of these days), merely that if some version of Java runs on a smartcard, I don't find it that unimaginable for a toothbrush to have a good enough chip to run Java, perhaps with enough resources for a TCP / IP stack. Something equivalent in performance to an old, WAP-capable phone that also ran Java ME, perhaps.
[0]: https://en.m.wikipedia.org/wiki/Jazelle in [1]: https://developer.arm.com/documentation/ddi0406/c/Applicatio...
Someday a headline like this will actually be true.
I think of it more like accidentally publishing a prewritten celebrity obituary.
[0]: https://news.ycombinator.com/item?id=39277990
if you use an iPhone, my apologies
When I saw your comment I figured I should check and see and it looks like they dropped the location permission.
https://play.google.com/store/apps/details?id=com.philips.cd...
You don't need bluetooth to do that. By keeping track of your public/private ip (which requires no special permissions), and correlating it to time of day, it's fairly easy to infer whether you're home or not. If there's a network you're regularly connected to during the evening and weekends, it's highly probable that you're "home".
https://www.tomshardware.com/networking/three-million-malwar...
Disclaimer: Maybe the image is clickable or there's a clickable link in the social media post for most people, but because Mastodon doesn't show posts without javascript enabled I can only ever see whatever shows up in the RSS feed.
[1] https://archive.ph/2024.01.30-203406/https://www.luzernerzei...
The German article says it got the information from a report by fortinet. I didn't notice anything about the DDoS attack there, but i did find these:
https://filestore.fortinet.com/fortiguard/research/mobileiot...
https://filestore.fortinet.com/fortiguard/research/toothbrus...
Because not many other devices on the internet of things are.
I don’t doubt that the article is wrong or they misunderstood their source though, since it’s just a random local news article about the dangers of ‘cybercrime’ which was apparently used as a source by these larger publications.
> Das Beispiel, das wie ein Hollywood-Szenario daherkommt, hat sich wirklich so zugetragen.
Correct translation:
> This example, which seems like a Hollywood scenario, actually happened.
But as you can see, if you miss the last part, it's easy to get the translation wrong.
(Interestingly, the Swiss article doesn't directly quote Fortinet as a source, but as an expert opinion. Maybe something was lost in translation there when the story went viral?)
Million dollar damage because a Swiss site wasn't reachable for 4 hours?
I doubt that.
If this is real, the article is beyond useless in informing people of what has happened and how it's happened.
> She's in the bathroom at home, but she's part of a large-scale cyber attack. The electric toothbrush is programmed with Java, and criminals have unnoticed installed malware on it - like on 3 million other toothbrushes.
(In German, toothbrushes are female, like all brushes.)
It means nothing other than that you need to remember the correct pronoun for every noun, which is absurd.
I just assumed they were gendering inanimate objects, which even non-gendered English speakers will do, but conveys more anthropomorphic intent.
Let's coin a term for this: misanthromorphism.
He elaborates farther down the thread:
> A botnet of 3 million toothbrushes would be twice the size on Mirai's various botnets put together, and a MAJOR infosec event. The person they were interviewing has only worked there about a year, and Fortigate staff don't appear to know about this botnet.
Edit to add:
Imagine you read on TechMeme that room-temperature superconductors are now confirmed to exist. But when you trace the story back, the original citation is an article in the Tucson Regional Business Journal about how scientific research benefits innovation. Would you think "wow, big scoop for the TRBJ!" Or something more like, "I bet that business reporter misunderstood something they heard."
This was a simple letter to the editor, written by a doctor, that became the driving force behind Oxycontin marketing.
[0] https://www.theatlantic.com/health/archive/2017/06/nejm-lett...
https://news.colgate.edu/magazine/2019/02/06/the-strange-cas...
Highly unlikely.
Highly suspicious and now confirmed it didn't happen.
https://news.ycombinator.com/item?id=39300373
> Das Beispiel, das wie ein Hollywood-Szenario daherkommt, hat sich wirklich so zugetragen.
Google translate:
> This example, which seems like a Hollywood scenario, actually happened.
So this article states that this actually happened.
So OP's claim that this article states it's just an example which didn't happen, is incorrect.
I'm not saying it did happen, just that the article does not state what OP says.
To expand on the initial dramatized story:
> Sie steht zu Hause im Badezimmer, doch sie ist Teil einer gross angelegten Cyberattacke. Die elektrische Zahnbürste ist mit Java programmiert, und unbemerkt haben Kriminelle darauf eine Schadsoftware installiert – wie auf 3 Millionen anderen Zahnbürsten auch. Ein Befehl genügt, und die ferngesteuerten Zahnbürsten rufen gleichzeitig die Website einer Schweizer Firma auf. Die Seite bricht zusammen und ist für vier Stunden lahm gelegt. Es entsteht ein Schaden in Millionenhöhe.
The article claims that an electric toothbrush with Java-based software was the target of malware. Criminals then leveraged this malware to execute a ddos from the toothbrushes against the website of a swiss business.
The article further claims this led to a downtime for around five hours with expect damages in the millions.
Me: Damn garbage collector
The chef's kiss moment of this story would be that it was Log4J vuln that was unable to be patched because why would they make updates to a toothbrush. I'm guessing that would complete somebody's bingo card.
Who had DDoS attack, Botnet, IoT Device, Java, Log4J?
I really don't think even 1 million toothbrushes exist that have any IP connectivity at all, let alone three million all being pwned. I would assume that if anyone had sold that many Wi-fi models, one of the big manufacturers would have some, and as far as I'm aware, none do, they all use Bluetooth. Not sure I buy that a bluetooth toothbrush can DDOS a website.
A research presentation by fortinet covering a BLE-enabled toothbrush that communicates with the cloud over a mobile app.
Also mentioned by a comment on the original post.
Things like this combined with AI are the scariest version of the future, I think. If we ask a very capable AI to solve climate change, what if it decides to solve it by creating something like Stuxnet for human infrastructure?
Highly recommended!
[0] https://www.relicradio.com/otr/2021/12/a-logic-named-joe-by-...
[1] https://en.wikipedia.org/wiki/A_Logic_Named_Joe
Total ideological lockstep combined with intense self-righteousness, and not a single contrarian opinion in sight.
https://news.ycombinator.com/item?id=39300373
"Be afraid, be very afraid" Wednesday Addams - Addams Family Values
It's not the pacemaker malware you want to worry about, it's the pacemaker ransomware!
[1] https://www.wired.com/2014/05/sentinl-gun-lock/
[2] https://www.bleepingcomputer.com/news/security/hacker-used-r...
If a company ever did this, I bet they'd charge at least 10 times more than that.
"Don't die during reboot"
Oh, the Convair B-36 Peacemaker definitely delivered malware.
They were clearly referring to the Colt Single Action Army revolver handgun.
But I eventually decided that wasn't a fruitful vein of humour, so I pared it back to mere mention of the weapon.
I.e., even though I no longer jad a reason to prefer the bomber over the pistol for the pun, I stayed with it out of mere joke-planning inertia.
Why mention just one or the other in my original comment? Well, because, as you probably know, brevity is the soul of wit.