• United States



Sixth-grader weaponizes smart teddy bear, hacks security audience’s Bluetooth

May 17, 20174 mins
Data and Information SecurityInternet of ThingsInternet Security

An 11-year-old boy weaponized his smart teddy bear during a live demo to show how the Internet of Toys can become the Internet of Threats

Teddy bear with stethoscope pediatric healthcare
Credit: Thinkstock

If yet another cybersecurity expert wanted to warn the general public about the risks associated with the Internet of Things (IoT), it is likely the warning would go in one ear and out the other. But when a sixth-grader hacks an audience of security experts and “weaponizes” his smart teddy bear, it might just snag the attention of parents who have disregarded warnings about the dangers and bought internet-connected toys for their kids anyway.

At the International One Conference in the Netherlands on Tuesday, 11-year-old Reuben Paul set out to ensure that “the Internet of Things does not end up becoming the Internet of Threats.” Judging by security experts’ awed reactions on Twitter, Paul made a lasting impression.

+ Also on Network World: How to wake the enterprise from IoT security nightmares +

“From airplanes to automobiles, from smart phones to smart homes, anything or any toy can be part of the Internet of Things (IoT),” Paul said during his keynote, Mutually Symb-IoT-ic Security. On stage at the World Forum in The Hague, he added, “From terminators to teddy bears, anything or any toy can be weaponized.”

He then used his smart teddy bear, Bob, to prove his point. Paul plugged a Raspberry Pi into the bear, which is connected to the cloud via Wi-Fi and Bluetooth, to send and receive messages. He scanned for Bluetooth devices. AFP reported that “to everyone’s amazement, including his own,” he “suddenly downloaded dozens of numbers including some of top officials.”

Using Python, he “hacked into this bear via one of the numbers to turn on one of its (LED) lights and record a message from the audience.”

Live demos are great when they work as intended, but it surely is nerve-wracking for the speaker.

Young Paul, aka @RAPst4r, tweeted that his “heart was going boom boom before the bear’s heart went blink blink.”

“Most internet-connected things have a Bluetooth functionality. … I basically showed how I could connect to it, and send commands to it, by recording audio and playing the light,” Paul told AFP.

“IoT home appliances, things that can be used in our everyday lives, our cars, lights, refrigerators, everything like this that is connected in our homes, could be used and weaponized to spy on us, or even harm us,” he added.

Internet-connected devices can be weaponized to steal passwords or other sensitive information, used as remote surveillance or to determine a person’s location. A smart toy could be abused to tell a kid, “Meet me at this location and I will pick you up.”

His Kung Fu is strong and not just the digital kind. Paul was the youngest person in America to have received the Shaolin Do Kung Fu Black Belt.

This Austin, Texas, sixth-grade “cyber ninja” is also founder and CEO of CyberShaolin, a non-profit organization with a mission “to educate, equip and empower kids with the knowledge of cybersecurity dangers and defenses, using videos and games.” These are videos and games that Paul “develops when he is done with his homework or his sports training.”

Paul has shown an aptitude in IT since he was six. He “shocked” his dad, IT expert Mano Paul, by first hacking a toy car before moving on to exploit vulnerabilities in more complex toys. His father said, “It means that my kids are playing with time-bombs that over time somebody who is bad or malicious can exploit.”

This isn’t the first time his son has presented at security conferences. In 2014, at age 8, Paul delivered a talk at DerbyCon. And when he was only a third-grader, Paul gave a closing keynote at the 2014 Houston Security Conference and spoke at the (ISC)2 Congress. Back then, he reportedly wanted to become a cyber spy and had already become founder and CEO of Prudent Games. At age 9, he was dubbed the next generation of security at the RSA conference and a child prodigy.

It’s exciting to think what he might do next after live-hacking his smart teddy bear. Be it his age or hacking a toy, Paul hopes people won’t miss the message:

ms smith

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues. She focuses on the unique challenges of maintaining privacy and security, both for individuals and enterprises. She has worked as a journalist and has also penned many technical papers and guides covering various technologies. Smith is herself a self-described privacy and security freak.