U.S. News

07.26.13

The Good Hacker: Barnaby Jack Dies

He could make ATMs spit out cash on demand and kill a man with just a computer, but Barnaby Jack used his powers only for good. Brandy Zadrozny on the shocking death.

Barnaby Jack could kill a man by computer from 30 feet away, but he never would.

The renowned 35-year-old hacker, who revolutionized bank and medical device security, died on Thursday in San Francisco. According to the San Francisco Police, officers responded to a call that evening after his body was discovered by a loved one. The San Francisco medical examiner has not determined a cause of death.

The New Zealand native was the best kind of hacker, a “white hat” whose mission to identify vulnerabilities in systems wasn’t meant to wreak havoc, but to effect change in technology safety and security.

His shocking death comes just days before he was meant to give an anticipated presentation called Implantable medical devices: hacking humans at the Black Hat computer security conference in Las Vegas, in which he would demonstrate shortcomings in medical devices like pacemakers and defibrillators.

Despite incredulous reactions to the Homeland episode in which a character is killed when a terrorist hacks into his pacemaker, Jack understood that flaws in the medical device design indeed made it more possible that anyone else imagined. In a 2013 blog post, "Broken Hearts,” Jack explained that the scene “was not too far off the mark.”

“The technology as it stands could very easily be adapted for physicians to remotely adjust parameters and settings on these devices via the bedside transmitters,” Jack wrote. “In the future, a scenario like this could certainly become a reality."

“Sometimes you have to demonstrate the darker side.”

In a 2012 speech to at the BreakPoint security conference in Melbourne, Jack actually demonstrated this type of “anonymous assassination” by reverse-engineering a pacemaker transmitter that could deliver deadly electric shocks. A video of the demonstration isn’t available because Jack didn’t want to reveal the name of the manufacturer and put anyone in danger.

He told conference goers, “With a max voltage of 830 volts, it's not hard to see why this is a fairly deadly feature. Not only could you induce cardiac arrest, but you could continually recharge the device and deliver shocks on loop,” according to a report in SC Magazine

In describing his good intentions he said, “Sometimes you have to demonstrate the darker side."

Jack’s work was hailed by industry experts and he was praised for “raising the alarm about the security of implanted medical devices” in Australia’s daily, The Age. Although he was cited often in the media, much of the reporting had, according to Jack, “out-of-context doomsday headlines.”

His findings were also instrumental in a GAO report suggesting the FDA should improve information security for medical devices released in 2012.

In 2011, while working at McAfee he discovered weaknesses in insulin pumps that could cause the release of lethal doses of insulin straight into the bloodstream of diabetics. He presented his findings by live-hacking a friend’s pump at a conference, prompting the medical device maker Medtronic Inc. to make safety and security improvements.

While his later work is arguably more noteworthy in the respect that it could saves lives, Jack is perhaps best known for a 2010 demonstration of "Jackpotting"—where he hacked into multiple ATMS forcing them to spit out money. Jack only released the how-to of the hack to the ATM makers. 

Video screenshot

Proving once again his pure intentions, Jack was actually scheduled to give the presentation a year earlier, but delayed after one of the notified ATM manufacturers, Triton, asked for more time to fix the bug.

Jack’s death, in which San Francisco police have ruled out foul play, is the latest to rock the tech community in the last year. RSS creator and activist Aaron Swartz hanged himself in January and videogame designer Kenji Eno died from heart failure in February.

Messages of condolence quickly amassed on Twitter from friends and strangers alike.

His current employer tweeted, “Lost but never forgotten our beloved pirate, Barnaby Jack has passed. He was a master hacker and dear friend. Here's to you Barnes!”

His sister Amberleigh Jack has asked for time to grieve with family and friends but tweeted her thanks for support:

“So humbled by the social media flood of people that loved @barnaby_jack . thank you all so much for your kind words.”

And conference attendees plan on meeting in the room where Jack would have presented to gather and remember Jack and his contributions to the industry. Black Hat released a statement that read in part:

“Black Hat will not be replacing Barnaby’s talk on Thursday, Aug. 1. No one could possibly replace him, nor would we want them to. The community needs time to process this loss. The hour will be left vacant as a time to commemorate his life and work, and we welcome our attendees to come and share in what we hope to be a celebration of his life. Barnaby Jack meant so much to so many people, and we hope this forum will offer an opportunity for us all to recognize the legacy that he leaves behind.”