Cyber security – where toothbrushes, drones and gnomes collide

Cyber security “stories” to sink your teeth into

Add bookmark
James Bore
James Bore
02/15/2024

brushing teeth

It sounds like the start of a joke, but these are all stories which have gone viral within the last 12 months – making international headlines and even some television segments:

  • Christmas gnomes being thrown into gardens to mark them for violent burglaries.
  • Autonomous drones killing their operators when they tried to prevent them completing their mission.
  • Millions of zombie smart toothbrushes conscripted into a large distributed denial of service (DDoS) attack against an unnamed Swiss (or sometimes Swedish) company.

They were also all false, down to various misunderstandings, but picked up and spread too quickly and with too little fact checking for the truth to catch up. With headlines too good to ignore they were carried on by the media, mostly unexamined and unchecked for 24 hours each before questions started to arise. Even then, most outlets just quietly moved on rather than publishing retractions.

Murderous drones

It’s one of those stories that just feels right – the threat of artificial intelligence (AI) being shown over conflicting parameters, attacks on humans and poorly specified missions. Isaac Asimov could have written it.

News channels across the world spoke about a US Air Force simulation in which a drone had turned on its operator, killing them, before moving on to take out the control tower. The stories contained plenty of information about the simulation, talking about how the test had been to try and identify an enemy installation and destroy it but the operator would sometimes counteract the command. As the drone was rewarded for destroying the installation, it decided the operator was an obstacle and attacked him, before doing the same to the control tower when they tried to reassert control.

The only problem was it never happened. While most stories described it as a simulation, a few repeated it as an actual event, while in fact the simulation had never been run. To their credit, the military quickly issued statements saying no such simulation had occurred, and eventually the truth came out. An Air Force officer had made some comments about the scenario at a summit by the Royal Aeronautical Society. Those had then been published in a blog post by writers for the society, and seemingly taken out of context.

It’s believed that rather than a simulation it was discussed as a tabletop scenario, brainstorming possibilities, but without full details it’s difficult to establish anything more than that the simulation never happened.

READ: A guide to anti-drone systems: Protecting against evil aerial intruders

Suspicious gnomes

Move on a few months and another headline goes viral. From an initial news story in one mainstream media, the warning about Christmas gnomes being dropped into gardens to mark them for later burglaries went international in less than a day. From a small community warning by police in North Wales it was international news in a dozen languages.

The panic spread, but the source had been lost as the community warning about the items had been deleted. References to the North Wales Police website having a similar warning led nowhere, and it was only through internet archives and some investigation that the truth of the story came out.

At least this time there was a grain of truth. Somehow, possibly as the earliest article so far identified carried a warning that it was partly created by AI (this was for a major UK newspaper), a community warning about two suspicious men dropping various items into gardens in North Wales had mutated into, as the Daily Mail put it, “chilling calling cards that thieves could use to target YOU.” Impressively they managed to tie it to a few more urban legends.

One theory is that the men were using the items to target houses for burglary, coming back later to see if they’d been removed and if not knowing that the house was empty. Only one of the items was a Christmas gnome, and as a strategy to identify target houses it seems a stretch, but it can’t be completely ruled out. The Christmas gnome panic lasted quite a bit longer though, and there have been no updates from any of the main media sources behind it to correct the record.

Zombie toothbrushes

Again, we have the headlines, “three million smart toothbrushes used in DDoS attack causing US $3 million damage.”

There’s a clear pattern by this point, and the zombie botnet toothbrushes hit both notes from the other two stories. Shortly after the headlines began, a narrative formed – from a security researcher at Fortinet to a reporter, included in an article originally written in Swiss German, to the small reference to the scenario being hypothetical getting lost in translation. The story exploded.

READ: What are DDoS attacks?

As the story raced around the world, hitting more and more headlines, being picked up and publicized by more and more vendors eager to hook their products to preventing such attacks in future, questions were being asked in cyber security circles. One of those was about whether toothbrushes, even smart ones, had the Wi-Fi capability such an attack requires (the ones mentioned in the article do not, operating only over Bluetooth). Another was about how everyone had somehow missed what would be a significant and noticeable DDoS attack.

It seemed to take only hours for the truth to come to light, but by then it was worldwide. The fallout is still occurring days later, with concerns that once again the cyber security industry is damaging its own credibility through hyperbole and false alarms like this. Other questions are being asked, once again, about the role of the wider media in taking the time to fact check their stories.

Worse still, there are questions being raised about the role of the vendor in all this. The debate is still going on, and unlikely to be settled before a new shiny distraction comes along, but the writer of the original story which claimed the attack had happened has fed their own account in. From their side there are claims not only that Fortinet provided specific details and numbers around the attack, but also that the text of the article with the specific claim of it being a real case was submitted to them before publication, with no objections.

It’s a growing issue, and as more and more low-quality content is generated and regurgitated by AI tools to keep news “fresh” more and more misinformation will sink in. When marketing teams become complicit, whether through complacency, inattention or even deliberately, it will continue to grow and damage the credibility of an important industry.

This is a problem we’ve had for decades, and it only accelerates as the pace of information and misinformation generation increases. Still, at least it’s a story to get your teeth into.

With more than 140,000 members, Cyber Security Hub is the vibrant community connecting cyber security professionals around the world.


RECOMMENDED