Cyber kid stuns experts showing toys can be 'weapons'

May 16, 2017 by Jo Biddle
Reuben Paul addresses the World Forum cyber security conference in The Hague

An 11-year-old "cyber ninja" stunned an audience of security experts Tuesday by hacking into their Bluetooth devices to manipulate a teddy bear and show how interconnected smart toys "can be weaponised".

American wunderkind Reuben Paul, may be still only in 6th grade at his school in Austin, Texas, but he and his teddy bear Bob wowed hundreds at a timely cyber security conference in The Netherlands.

"From airplanes to automobiles, from smart phones to smart homes, anything or any toy can be part of the" Internet of Things (IOT)," he said, a small figure pacing the huge stage at the World Forum in The Hague.

"From terminators to teddy bears, anything or any toy can be weaponised."

To demonstrate, he deployed his cuddly bear, which connects to the iCloud via WiFi and Bluetooth smart technology to receive and transmit messages.

Plugging into his laptop a rogue device known as a "raspberry pi"—a small credit card size computer —Reuben scanned the hall for available Bluetooth devices, and to everyone's amazement including his own suddenly downloaded dozens of numbers including some of top officials.

Then using a computer language programme, called Python, he hacked into his bear via one of the numbers to turn on one of its lights and record a message from the audience.

"Most internet-connected things have a blue-tooth functionality ... I basically showed how I could connect to it, and send commands to it, by recording audio and playing the light," he told AFP later.

"IOT home appliances, things that can be used in our everyday lives, our cars, lights refrigerators, everything like this that is connected can be used and weaponised to spy on us or harm us."

They can be used to steal private information such as passwords, as remote surveillance to spy on kids, or employ a GPS to find out where a person is.

More chillingly, a toy could say "meet me at this location and I will pick you up," Reuben said.

'Timebombs'

His father, information technology expert Mano Paul, told how aged about six Reuben had revealed his early IT skills correcting him during a business call.

Using a simple explanation from dad on how one smart phone game worked, Reuben then figured out it was the same kind of algorithm behind the popular video game Angry Birds.

"He has always surprised us. Every moment when we teach him something he's usually the one who ends up teaching us," Mano Paul told AFP.

But Paul said he been "shocked" by the vulnerabilities discovered in kids toys, after Reuben first hacked a toy car, before moving onto more complicated things.

"It means that my kids are playing with timebombs, that over time somebody who is bad or malicious can exploit."

Now the family has helped Reuben, who is also the youngest American to have become a Shaolin Kung Fu black belt, to set up his CyberShaolin non-profit organisation.

Its aim is "to inform kids and adults about the dangers of cyber insecurity," Reuben said, adding he also wants to press home the message that manufacturers, security researchers and the government have to work together.

Reuben also has ambitious plans for the future, aiming to study cyber security at either CalTech or MIT universities and then use his skills for good.

Failing that maybe he could become an Olympian in gymnastics—another sport he excels in.

Explore further: NASA catches the two day life of Tropical Cyclone Reuben

Related Stories

NASA catches the two day life of Tropical Cyclone Reuben

March 23, 2015

Tropical Cyclone Reuben formed on Sunday, March 21 at 22:35 UTC in the Northwestern Pacific Ocean and by March 23 was already dissipating. NASA's Aqua satellite passed over Reuben when it was in the prime of its life on March ...

The WikiLeaks CIA release—when will we learn?

March 9, 2017

This week's WikiLeaks release of what is apparently a trove of Central Intelligence Agency information related to its computer hacking should surprise no one: Despite its complaints of being targeted by cyberattackers from ...

Recommended for you

Chinese fans trash blackout as Google AI wins again

May 25, 2017

Chinese netizens fumed Thursday over a government ban on live coverage of Google algorithm AlphaGo's battle with the world's top Go player, as the programme clinched their three-match series in the ancient board game.

1 comment

Adjust slider to filter visible comments by rank

Display comments: newest first

EmceeSquared
4.7 / 5 (3) May 16, 2017
Jo Biddle: Get an editor.
1. A 'rogue device known as a "raspberry pi"'? A Raspberry Pi (proper nouns get capitalized in English) is not a "rogue device", especially not as used by this kid.

2. "computer language programme, called Python": The language is called "Python"; the programmes written in it are not Python. You don't seem to understand the difference between a programme and the language it's written in, but you're covering a cybersecurity story.

3. If you're going to correctly capitalize "Bluetooth" most of the time, do it every time, not "blue-tooth". If that was AFP's mistake you're quoting, append "[sic]" to show you recognize their mistake, not just repeat it.

These are mistakes that should certainly disqualify this article from publication. And if you can't do better, that should disqualify you from writing for publication.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.