2024-02-07 hacking, rant

There’s an ongoing viral story on the internet about Evil Toothbrushes. A company selling firewall boxes and other “security” products claims that one Swiss customer’s website got DDoS’ed by … a network of three million hacked “internet-connected toothbrushes”, causing millions of Euros in damages. I am not going to link to any of those news reports for reasons that will become obvious, but you can use your Search Engine of Least Distrust to find them.

I don’t believe it¹.

So, let’s start with something fundamental²: You do not need “millions of clients” to DDoS a website. You can bring down most websites with a single client or maybe a handful of hacked root servers on the internet. Unless your company is a webshop, there is no way that a website being down is actually causing “millions” in damages. And if you are a website that makes millions a day, you would use a DDoS-protection service from a company like Akamai or Cloudflare, so we would see a press release from them instead of a vague post by a firewall vendor.

But let’s assume this attack is actually real for now. The story still does not make any sense to me whatsoever.

I’ll start with a quick detour. Most articles about this story also contain a statement from the same company, claiming that connecting any unprotected PC to the internet will turn it into a “malware-ridden” device within 20 minutes. This is not how this works. While you should absolutely always install updates and follow best security practices, here’s what happens if you connect an unprotected PC to the internet: you’ll burn a bunch of electricity. That’s it.

These stories often come alongside claims on how fast hackers can scan the internet for devices and vulnerabilities. Those claims alone are true; portscanners and vulnerability scanners have become super quick and efficient, but this doesn’t matter. If you connect a device to your home WiFi, it can access the internet, but it’s really hard (as in: probably impossible) for the internet to access your device. This isn’t because your modem or router is so amazing at being secure³, but it’s instead a technical limitation. I won’t go into detail why, but your home internet is most likely a one-way gate. If you check one of those “What is my IP address” websites with multiple devices in your network, you’ll notice that all those devices show the same public IP address⁴. This is because there simply aren’t enough IPv4 addresses available to assign one to each device. Your ISP assigns you one IP address, and your router/modem maps the network traffic from your devices onto that one address. How this actually works is a bit complicated⁵, but essentially, a device in your network says, “hey I want to connect to overengineer.dev”, and your router then knows that traffic on the connection between your network and my server needs to flow to whatever device you’re currently reading this on. However, if someone from the outside tries to send data to your network, the router doesn’t know where to send that stuff, so it just drops it.

There are, of course, exceptions to this. If you have been playing online games for long enough, you might remember when you had to fiddle with your router settings to set up port forwards to make a game work. Setting up a port forward would be “opening a direct tunnel from the outside to your PC”. There’s also a protocol called “Universal Plug and Play” that can do this automatically, so a piece of software or hardware within your network can talk to your router and say “hey I need a public tunnel from the internet to me”. However, you or a device/software you own needs to go out of your way to set this up - it doesn’t just happen on its own. Writing software that makes that request takes effort, so unless your application really needs that, developers don’t spend that time.

So, unless something in your network actively reaches out to something else, there’s no way to directly access or attack that device. Of course, any internet-connected device eventually talks to a server to submit data or check for updates, but it’s not trivial to “hack” those kinds of connections. The easiest way would be to hack the server they’re connecting to, or somehow manipulate how they’re connecting to it and re-routing that connection, but none of this is easy.

Now, back to toothbrushes.

If you want your toothbrush to send you some statistics on how often and how well you clean: that’s totally fine. You should be aware of the privacy implications, but you don’t need to feel bad or get shamed by the internet for it. Really. Don’t be afraid of it hacking the world.

There aren’t too many internet-connected toothbrushes out there. I found quite a few toothbrushes with Bluetooth support (so you can connect to a phone app or something), but it’s rare for the toothbrush itself to have internet access. It can’t be a Bluetooth-enabled device, as you can’t really turn those into DDoS botnets. One of the exceptions I found was the “Oral-B iO Series 10”, where the charging base is the thing that talks to the internet. You’ll note that this is almost 400 US dollars. The original report claims that “three million” toothbrushes were part of the attack, and while we don’t know sales figures, I find that number to be surprisingly large for products this expensive. If anything, this number feels inflated.

Remember the “inbound tunnel” thing I mentioned earlier? Toothbrushes wouldn’t do that. They want to submit brushing statistics after you’re done brushing, and maybe occasionally check for a software update. To implement that, any reasonable developer would have the device reach out to a server, not the other way around. In fact, having the server check into the toothbrush wouldn’t work in most cases, and would scale incredibly bad. So, the toothbrush wouldn’t open an “inbound tunnel”. Attackers could take over the servers that the toothbrush is connecting to and distribute a malicious firmware update or something. Keeping an attack like this a secret is almost impossible, and we’ve heard about that by now.

Another claim in those articles is that the toothbrushes were running Java - raising my eyebrows even more. Most embedded programming is done in languages like C, C++, or Rust. You have to interact with hardware on quite a low level to use microcontrollers properly, and you also are really constrained in the amount of resources you have. Embedded Java does exist, but it’s not high on the list of choices for embedded systems. According to the linked Wikipedia article, you need at least 8 MB of RAM to run Java embedded. While that sounds like very little compared to the device you’re reading this on, it’s a huge amount of memory for embedded systems, which usually measure their RAM in kilobytes. I don’t know details about the Oral-B hardware I linked earlier, but iFixit published a teardown of the brush part of an earlier version of the iO brush, and they found a tiny Texas Instruments microcontroller in there. It comes with a whopping 28 kilobytes of RAM - you’re not going to run Java on that. Could newer models have beefier chips in them? Absolutely! But keep in mind that chips that have enough memory to run Java are very expensive. You don’t need to spend that much on a chip if you can do the same task on a cheaper, lower-spec microcontroller. We know that the Oral-B brush I linked earlier does the WiFi handling in their charging station, so they could have a Java-based setup there. But again, that doesn’t make sense: it would drive up the costs for the hardware. Things like Java’s Connected Limited Device Configuration exist, but at this point, you’re so far away from “real Java” that applying most of the Java wisdoms fails. You’d also have to hire a second team that knows about Java embedded programming. The folks writing the C/C++ code running inside the brush itself probably aren’t Java Embedded experts. And not even mentioning that Oracle wants licensing fees if you use Java ME!

And finally… …why?

Illegal hacking (also known as “black hat” hacking) is primarily done for financial gain. Hacking computers makes sense because you can exfiltrate someone’s online banking credentials. Hacking companies makes sense because you can steal trade secrets. DDoS attacks against a company’s website are … weird. You don’t hack a company by bringing down their website; you just tore down a poster that the company put up in public. DDoS attacks can be used in ransom situations, where hacker groups demand ransom or continue taking down your website. This can be effective if a company requires its website to be up (if it’s an online shop, for example), but DDoS attacks aren’t usually “where the money is”. Let’s imagine you’re a hacker (or part of a group) with the ability to hack a large number of electric toothbrushes. There’s so much stuff you could do with it: blackmailing the vendor, leaking/selling customer data, using it as an entry-point to hack other devices in people’s homes, … why would you burn such a valuable botnet just to bring down a company website? You could do the same with a bunch of hacked, unmaintained root servers.

Ultimately, this all sounds like a made up marketing plot from a company trying to sell more firewall appliances. If this were an actual security incident, we’d probably see a very different response, a clear disclosure timeline, and reports with way more detail than whatever the vague press release was about.

I’m also not saying that all Internet of Things devices are safe - in fact, most of them probably have horrible security holes. But hacking them usually makes no sense. They’re hard to reach, incredibly low-powered, might lose power unpredictably, … there are so much easier targets to hit.

You’re far more likely to be hacked by an old Android smartphone that hasn’t seen a security update in two years or by a “funny video file” someone sent you via email.