Space & Innovation

5th Grader Uses Teddy Bear to Hack Cybersecurity Conference

Reuben Paul used a common toy to show how the Internet of Things can be easily manipulated and weaponized to spy on or otherwise harm the public.

Creative Crop/Getty Images

An 11-year-old “cyber ninja” stunned an audience of security experts Tuesday by hacking into their Bluetooth devices to manipulate a teddy bear and show how interconnected smart toys “can be weaponized.”

American wunderkind Reuben Paul may be still only in 5th grade at his school in Austin, Texas, but he and his teddy bear Bob wowed hundreds at a timely cyber security conference in the Netherlands.

“From airplanes to automobiles, from smart phones to smart homes, anything or any toy can be part of the Internet of Things (IOT),” he said, a small figure pacing the huge stage at the World Forum in The Hague. “From terminators to teddy bears, anything or any toy can be weaponized.”

To demonstrate, he deployed his cuddly bear, which connects to the icloud via wi-fi and Bluetooth smart technology to receive and transmit messages.

RELATED: Massive, Stealthy Cyberattack Underway That Is ‘Much Bigger Than WannaCry’

Plugging into his laptop a rogue device known as a “raspberry pi” — a small credit card size computer — Reuben scanned the hall for available Bluetooth devices, and to everyone's amazement including his own suddenly downloaded dozens of numbers, including those of some top officials who were in attendance.

Using a computer language program called Python, he then hacked into his bear via one of the numbers to turn on one of its lights and record a message from the audience.

“Most internet-connected things have a Bluetooth functionality,” he later remarked to AFP. “I basically showed how I could connect to it, and send commands to it, by recording audio and playing the light.”

“IOT home appliances, things that can be used in our everyday lives, our cars, lights refrigerators, everything like this that is connected,” he added, “can be used and weaponized to spy on us or harm us.”

RELATED: Microsoft Wants a Digital Geneva Convention for Cyberwarfare

They can be used to steal private information such as passwords, as remote surveillance to spy on kids, or employ a GPS to find out where a person is.

More chillingly, a toy could say “meet me at this location and I will pick you up,” Reuben said.

‘Timebombs’
His father, information technology expert Mano Paul, told how Reuben had revealed his early IT skills at the age of six, when he corrected him during a business call.

Using a simple explanation from dad on how a particular smartphone game worked, Reuben then figured out it was the same kind of algorithm behind the popular video game Angry Birds.

“He has always surprised us,” Mano Paul told AFP. “Every moment when we teach him something he’s usually the one who ends up teaching us.”

But Paul said he was “shocked” by the vulnerabilities discovered in children’s toys after Reuben first hacked a toy car, before his son moved on to more complicated things.

“It means that my kids are playing with timebombs, that over time somebody who is bad or malicious can exploit,” he said.

RELATED: 30 Years of Cyber Attacks: An Ominous Evolution

Now the family has helped Reuben, who is also the youngest American to have become a Shaolin Kung Fu black belt, to set up his CyberShaolin non-profit organization.

Its aim is “to inform kids and adults about the dangers of cyber insecurity,” Reuben said. He noted that he also wants to press home the message that manufacturers, security researchers, and the government have to work together.

Reuben has ambitious plans for the future, aiming to study cyber security at either CalTech or MIT and then use his skills for good.

Failing that maybe he could become an Olympian in gymnastics — another sport he excels in.

WATCH: Hackers Can Now Break Into Your Phone Using Music