Lessons in Cybersecurity from an 11-Year-Old
WHEN HE’S NOT obsessing over cybersecurity, giving a keynote speech in The Hague or New Delhi, or working on the next degree of his black belt in Shaolin Kung Fu, Reuben Paul can usually be found doing his homework. After all, he’s only 11 years old.
Reserved and humble, the thoughtful lad with quiet eyes would seem like any other Texas pre-teen if behind them wasn’t a serious preoccupation with cybersecurity.
Reuben got his start in network security at the age of eight, thanks to his father, Mano, who also works in the field. Years of listening in on dad’s business calls taught him the basics, and when Reuben helped his father out by reminding him of a key security term he’d forgotten, Mano figured the kid might have a knack for the industry. His immersion into computer and network security came faster than anyone could have expected: Within months Reuben had hacked a smartphone, designing a fake app that looked like a game. “If you tap on it, I immediately have full root access to the device and can turn on the camera,” he says. “I did that when I was nine.”
But Reuben found himself in the limelight—and on security conference stages across the world—when he set his mind to hacking his own seemingly innocuous toy: a teddy bear embedded with a voice recording system. The idea of the bear—Reuben calls him “Bob”—is that parents can use a smartphone app to record a message for their child, then upload it to the toy. After the child hears the message from the bear’s mouth, he can record his own response and send it back to mom or dad’s phone.
Sounds innocuous enough, but in Reuben’s mind it represented a risk in the so-called smart home that could open up families to an unwanted invasion. “We put a sniffer between the bear and phone and started going through the packets,” he says. “Eventually we reverse-engineered them and figured out how to turn the microphone on at will. I can stand outside anyone’s house and connect to the toy bear. I could do the same kind of thing outside a hospital room, or a government building,” he says.
This problem has arisen because of the way security, and more specifically home security, has been treated in the past. As Bitdefender Chief Security Researcher Alex Balan notes, “What we need are more and better solutions that cover a family’s needs as much as possible.”
The good news is that none of this is cause for panic, and Reuben wants to keep it that way. So he’s on a mission to educate both kids and adults about the risks of these kinds of devices, all part of the nascent Internet of Things. He’s even started a nonprofit company called CyberShaolin, which leverages Kung Fu symbology to train children in cybersecurity basics. New students in the program begin as a white belt. As they progress through the online lessons, eventually they earn their digital black belt in cybersecurity.
For us grown-ups, Reuben says that if developers and users were smarter about security, things would be a lot better in the world of the connected home. Failing that, external tools can help fill the gaps. Devices like Bitdefender’s BOX can monitor a home or business for unauthorized traffic. BOX treats all devices—computers, phones, televisions, and even a toy bear—the same way, watching for rogue network traffic and malicious activity and blocking it outright. “A firewall alone can’t protect you,” says Reuben. “We just need better training… and more secure products.” Balan adds, “People shouldn’t have to care how security works as long as they’re subscribed to a decent service that takes care of it for them.”
Today, Reuben’s counsel is in high demand. He travels so much that he’s on his third passport, but the bright young boy has eyes firmly on the future. “I want to use my cybersecurity skills for the good of humanity. I want to be a businessman by day and a cyberspy by night and also an Olympic gymnast,” he says.
“But first I have to pass the sixth grade.”