RIP

01.03.14

Death of Hero Hacker Barnaby Jack Ruled a Drug Overdose

After months of dark rumors and speculation, a medical examiner’s report reveals what really happened to the New Zealand-born hacker.

The death of famed “white hat” hacker Barnaby Jack, known as a genius in the information security world and the life of the party to friends, has been ruled a drug overdose by the San Francisco medical examiner’s office.

According to the report, Jack died as a result of a mix of heroin, cocaine, Benadryl, and Xanax.

The report, issued over five months after the 36-year-old’s death in July, will bring to an end the wild and often conspiratorial speculation over how a talented, seemingly healthy man in the prime of his life could have died days before he was meant to give an anticipated demonstration at the annual Black Hat convention in Las Vegas, the world’s largest hackers’ conference. In his presentation, “Implantable Medical Devices: Hacking Humans”, Jack was slated to show off the fruits of his latest research by hacking into pacemakers and implanted defibrillators—a feat he asserted could kill a man from 30 feet away.

But Jack would never have used his work to actually hurt anyone. “I suppose I’m on the good side of the fence,” he told a reporter in 2010.

The planned implantable device hack was just the latest from the excitable researcher, known for high-profile performances that captured the imaginations of hackers and laymen alike and brought attention to the issue of technology security—a field Jack saw as more important than ever. (“Has there ever been a box connected to the Internet that people haven’t tried to break into?” he recently asked.)

His stunts were more than just the attention-grabbing antics of a showman—though he was open about the desire to impress his peers. He hoped his work would “bring about some real positive change and…get these devices up to scratch,” he explained in a podcast interview last year.

But that work was cut short. The New Zealand native’s body was discovered in bed on July 25 at his Nob Hill apartment, by his girlfriend, Layne Cross, according to the medical examiner's report. Police immediately ruled out foul play and his body was sent to his home country to be buried.

Following his sudden death, friends and coworkers took to Twitter and blogs to remember the elite hacker, sometimes painting conflicting portraits of Jack—as both a shy, brilliant researcher and a wild partier. Jack was “a man who partied so hard that you worried about his health and well-being,” journalist and security specialist, Ryan Naraine, wrote after Jack’s death.

More importantly, Jack’s work and his legacy in the information technology community were heralded. He was praised for “raising the alarm about the security of implanted medical devices,” in The Age, one of Australia’s largest daily papers. His findings were also instrumental in a 2012 Government Accountability Office (GAO) report suggesting the Federal Drug Administration should improve information security for the technology. While the FDA hasn’t yet formally responded, the Department of Health and Human Services agreed with the GAO findings; as Jack said on the Risky Business podcast, “it looks that they will be requiring these devices be audited.”

In 2011, while working at the security technology firm McAfee, Jack discovered weaknesses in insulin pumps that could cause the release of lethal doses straight into the bloodstream of diabetics. He presented his findings by live-hacking a friend’s pump at a conference, prompting the medical device maker Medtronic Inc. to make safety and security improvements.

Black Hat Conference organizers praised Jack’s contributions in a statement following his death. “The life and work of Barnaby Jack are legendary and irreplaceable,” it said. “Barnaby had the ability to take complex technology and intricate research and make it tangible and accessible for everyone to learn and grow from.”

Matthieu Suiche, the chief scientist at the security company, CloudVolumes, called Jack, “brilliant,” in an interview with the Guardian. “In this world full of people fearfully complying and worrying, very few people are crazy enough to challenge the rules, to approach life in an unconventional paradigm and to speak up to contribute to change this world,” he said.

While his later work is arguably more noteworthy in the respect that it could save lives, Jack was best known for a 2010 demonstration of “Jackpotting”—in which he hacked into multiple ATMs and forced the machines to spit out money. Jack only released the how-to of the hack to the ATM makers, and only after the fixes had already been made. “We were really careful when we gave this demonstration to make sure that the vendors had mitigation remediation in place before we went up and did it,” Jack told CNN after the demonstration.

Likely because of the sensational nature of the work Jack did, Internet sleuths were immediately drawn to the mysterious circumstances surrounding his death. On Twitter and Reddit, conspiracy theorists armed with a dearth of details leapt to the conclusion that Jack’s hacking skills—while only ever used legally, with a mission to help improve technology safety and security so that vulnerabilities couldn’t be exploited by “black hat” hackers—somehow made him a target for big business or a government agency like the CIA.

“Barnaby Jack was obviously murdered and if you don’t believe that you’re blind,” one tweet reads, echoing a similar strain of thought posted to several online forums.

Others linked his death with the passing of journalist Michael Hastings, whose reporting in Rolling Stone led to the resignation of Gen. Stanley McChrystal. Hastings was killed in a fiery late-night car crash in Los Angeles in June. Pointing to an email in which Hastings describes being under investigation by federal authorities because of “a big story” he was onto, skeptics contend the accident was caused or staged by the government in order to silence him.

People who knew Jack in real life did little to quell the rumors. Friends and family refused to talk to reporters about events surrounding Jack’s death. His sister, Amberleigh Jack, a 32-year-old freelance writer in Auckland, New Zealand, requested privacy, tweeting, “Sorry but I need a few days to grieve with family and friends.” When the International Business Times reached out for a story on the conspiracy theories, one friend responded in an email, “I could not care less what you, his fans, or any acquaintance needs as far as closure. What is important is that his family is allowed to deal with the tragedy and find their own closure without the distraction or drama.”

People who knew the info security specialist and his work have met in real and online spaces to offer memorials. Colleagues and friends remembered Jack at this year’s Black Hat conference—the same summit he was set attend within days of his death—by giving him a Pwnie lifetime achievement award and gathering in the room where he was scheduled to demonstrate his high-profile hack.

Amberleigh wrote a tribute published on the New Zealand blog Public Address. “…My mother lost her son…I lost my brother…the world lost a genius,” it read. “He was more than a famous hacker…more than the life of the party that everyone instantly loved.”