Barnaby Jack: Ethical hacker and expert on security for computers


Click to follow
The Independent Online

Barnaby Jack, who has died aged 35, was an ethical hacker who had achieved renown for finding, exploiting and exposing flaws in computer security systems. At a conference in 2010 he famously demonstrated his attack on an automated teller machine (ATM), causing the cashpoint to spew out bank notes on demand. His method became known as "Jackpotting". As a "white hat" hacker he sought to publicly discuss and show defects in computer security so that they could be rectified before other, less unscrupulous, individuals took advantage of them. "Sometimes you have to demonstrate the darker side," he said of his rationale.

Jack was born in Auckland, New Zealand, and grew up with a fascination for computers of all kinds. At the age of 21 he emigrated to the US and joined the company Network Associates, specialising in computer security issues. He subsequently joined Juniper Networks, a manufacturer of networking hardware, in 2006.

In recent years he had developed a specific interest in what is known as "embedded" technology, the hardware and software which are built in to everyday objects around us, such as cars, banking systems, home appliances and medical devices. It was at the Black Hat security conference in July 2010 that he showed his best known hacking feat, after having experimented with two ATM machines he had bought online and installed at home. He recalled of the event: "I demonstrated two different attacks. One was a walk-up attack, where I would literally walk up to an ATM... Within about two minutes it would just start spitting out its entire dispenser. Of course you had to be at the ATM for that one to work."

Of the second presentation he said: "The other attack was completely remote, so I could do it from a laptop in a hotel room or your bedroom... But I also had it harvesting people's credit cards and PIN numbers, which I could then retrieve remotely as well. It was 100 per cent anonymous, and bypassing all authentication."

The following year, while working at McAfee, the virus protection and internet security company, he discovered a fault in computerised insulin pumps that could lead to them releasing lethal overdoses, with the potential to kill diabetics. "My purpose was not to allow anyone to be harmed by this because it is not easy to reproduce," he said in an interview last year, "but hopefully it will promote some change in these companies and get some meaningful security in these devices." The manufacturer promptly announced modifications to the devices to eliminate this potential risk.

Last October he became Director of Embedded Device Security at the company IOActive. It was in this new role that he had been due to present another dramatic attack, which would show flaws in the security of embedded heart pacemaker equipment. The idea had already been anticipated in fiction, in the television series Homeland, which had caused Jack to wonder whether it could be done in reality. He observed that "Malware will often slow down a computer, and when you slow down a medical device it no longer gives the integrity needed to perform as it should."

Jack's proposed technique would allow tampering with the pacemaker from a distance of up to nine metres, using wireless networking technology. He devised a method of logging on to the device without requiring any security and getting it to send a 830-volt jolt of electricity to the person in whom it is implanted. He had already warned of the possible consequences at a conference in Australia last year, saying "...the most obvious scenario would be a targeted attack against a high-profile individual."

He was found dead in a San Francisco apartment a week before the conference at which this technique would be demonstrated, where his talk was to have been entitled "Implantable Medical Devices: Hacking Humans". The initial reaction to his death from some was that this was a practical joke of some kind, organised by Jack himself. His former colleague Dan Kaminsky said via Twitter: "God, the stories. Nobody caused such hilarious trouble like @barnaby_jack"

The conference organisers said Barnaby's talk would not be replaced – "No one could possibly replace him, nor would we want them to. The community needs time to process this loss. The hour will be left vacant as a time to commemorate his life and work, and we welcome our attendees to come and share in what we hope to be a celebration of his life. Barnaby Jack meant so much to so many people, and we hope this forum will offer an opportunity for us all to recognise the legacy he leaves behind."

Barnaby Jack, computer security specialist: born Auckland, New Zealand 22 November 1977; partner to Layne Cross; died San Francisco 25 July 2013.