Think there’s nothing more innocuous than a teddy bear? Think again, says cybersecurity expert Reuben Paul.

At age 11, Reuben already knows more about online safety than most adults. Delivering the keynote address at the 2017 International One Conference, recently held at The Hague, he astonished spectators by demonstrating how easily an internet-connected “smart” toy can be weaponized to steal sensitive information.

Reuben had researched vulnerabilities in his “smart” teddy bear, which connects to the internet via Wi-Fi and has an embedded microphone. “Exploiting this weakness, I was able to turn on the microphone and use that as a spying device” at the conference, he said.

Reuben Paul talking on stage (© Mano Paul)
Reuben Paul speaks at the International One Conference, The Hague, Netherlands. (© Mano Paul)

To do it, Reuben plugged a Raspberry Pi (a tiny computer board) into his MacBook computer, which he connected to the bear. He then scanned the room for Bluetooth devices within range. The scan picked up all of those in-range devices.

Audience members — especially the owners of the scanned devices — were stunned to learn how easily they might be hacked, although Reuben was careful to stop short of any hacking activity.

It was a good example for the conference, which was debating how best to secure the “Internet of Things.” That term refers to the concept of connecting everyday objects to the Internet or to each other. And Reuben’s teddy bear had just revealed its danger.

“The [Internet of Things] is the next generation of technology, and we are all going to have to embrace it,” said Reuben. But people should be “cautious about connected toys and systems, and not recklessly accept any device” without determining if it’s secure.

Reuben began learning about cybersecurity at age 6 from his dad, a cybersecurity professional. By the time he was 8, Reuben had delivered a talk at a cybersecurity conference in Louisville, Kentucky.

Since then he’s been invited to conferences at home and abroad, and corporations ask him to give talks on cybersecurity. He always warns against reusing passwords: “Most people use the same password for their bank accounts and their social media accounts. So if a password gets hacked, the hacker will have total access to that person’s digital identity.”

He also warns against connecting to public Wi-Fi access points, and tells people to regularly update their software systems.

Reuben offers these “three T’s of online cybersecurity.”

  • Don’t Talk = Don’t give out personal information online.
  • Don’t Take = Don’t click on any links in emails without checking to see if they are valid.
  • Don’t Trust = Everybody online is a cyber stranger. Don’t trust anyone, because you could be the victim of a phishing or other malicious attack.

In addition to speaking and practicing gymnastics and kung fu, Reuben is also the head of a nonprofit organization that seeks to educate people about cybersecurity.

Reuben says he would eventually like to be “writing apps and video games, and to be a cyber spy at night, helping protect others and our country from cyberthreats.”

But first, he says, “I need to pass sixth grade.”