How an 11-Year-Old Superhero Hacker Stole Data And Weaponized His Teddy Bear

flying teddy bear
flickr / Abe Beal
ADVERTISEMENT

His name isn’t Anonymous. He doesn’t live on the dark web. And he’s not currently holding any of your company’s computer files hostage. But Rueben Paul, an 11-year-old sixth grader from Austin, Texas, is a hacker to be reckoned with. This week he blew away an audience of cyber-security experts at a conference in the Netherlands by stealing data from their Bluetooth devices and using it to hack into his Wi-Fi-enabled teddy bear named Bob — all while they were listening to his keynote address.

Invited to speak at the Hague by the Netherlands National Cyber Security Centre, Paul, who’s dad is an information technology expert, used the opportunity to demonstrate just how easy it is to weaponize smart toys, appliances, and other devices that fall into the category of Internet of Things. After using a Raspberry Pi-based computer connected to his laptop to scan the room for smartphones, he downloaded dozens of numbers, some reportedly from top officials. From there, he hacked into the toy bear using one of the phone numbers and recorded a message from the audience.

Read More

“From terminators to teddy bears, anything or any toy can be weaponized,” he told the audience, according to the Guardian.

As impressive as the display was, the concept isn’t entirely new. Back in February, a security expert successfully hacked into the same CloudPets smart bear after the company who makes it, Spiral Toys, accidentally exposed the account details of over 800,000 users and over two million recorded messages sent between parents and kids. So the bear itself was a known security risk.

That said, Paul’s demo did hammer home the point: The Internet of Things can be a dangerous place. Any device connected to the internet can be used to spy on, or track or steal data from people. Even scarier for parents, said Paul, a talking toy could be programmed to tell a child “meet me at this location and I will pick you up.” He later told Security Week, “Most internet-connected things have a blue-tooth functionality. I basically showed how I could connect to it, and send commands to it, by recording audio and playing the light.”

While all of this may seem remarkable for an 11-year old, this prodigy’s actually been at it for a while now. According to his dad, Paul first demonstrated his above-average understanding of technology around age six. Since then, he’s gone on to become the CEO of Prudent Games, a company that aims to make creating strong passwords fun. As well as founded CyberShaolin, a non-profit dedicated to “informing kids and adults about the dangers of cyber-insecurity,” writes The Guardian. And when he’s not hacking into toy bears or tweeting about cyber security from his Twitter handle RAPst4r, he’s reportedly the youngest American to earn a Shaolin Kung Fu black belt. So take that Anonymous.

Get Fatherly In Your Inbox