White-Hat Hacker Barnaby Jack Dies10:35 AM EST Fri. Jul. 26, 2013
Barnaby Jack, a prominent white hat hacker and embedded systems expert with a penchant for pulling off spectacular hacks of devices at conferences globally, has died just days before a scheduled presentation at the Black Hat security conference in Las Vegas.
Jack most recently was the director of embedded security research at IOActive. He had worked in the security industry for more than a decade, serving in various roles at McAfee, Juniper Networks, eEye digital Security and FoundStone.
Reached by phone, IOActive's Gunter Ollmann said he was unprepared to speak publicly about the researcher. A message on Twitter from IOActive praised Jack for his research over the last decade.
"Lost but never forgotten our beloved pirate, Barnaby Jack has passed. He was a master hacker and dear friend. Here's to you Barnes!," the IOActive message read.
Jack was scheduled to give a presentation on the security of wireless implantable medical devices at Black Hat 2013. The demonstration was to show how a bedside transmitter could scan and disrupt the processes of implanted heart devices. Reuters reported that the San Francisco Medical Examiner's office confirmed his death in the city Thursday. It did not elaborate on the cause of death.
The embedded systems expert took the stage at Black Hat in 2010, providing a stunning performance when he exploited weaknesses in widely used models of ATMs, causing them to spit out money on stage at the hacking conference. He also exposed a bogus ATM machine a year earlier at a Las Vegas hotel hosting the DefCon 17 conference.
Jack later turned his focus to hacking automobile systems and electronic medical devices, showing how small systems and components that run critical processes can be used by an attacker to cause serious damage or death.
At Hacker Halted conference in Miami in 2011, Jack showed how he could use a transmitter to interrupt medical insulin pumps. The tiny transmitter had a 300-foot radius and could control just about any embedded medical device, Jack said.
HD Moore, chief research officer at Rapid7 and chief architect of the Metasploit penetration testing framework, said Jack's work had a significant impact, forcing manufacturers to take action.
"He was one of those rare folks who does a great job with research and working with vendors to get weaknesses fixed," Moore said. "He was willing to go all out on his research the way other folks weren't."
Joshua Drake, a senior research scientist at Accuvant, said he remembers spending a lot of time with Jack at Black Hat Abu Dhabi in 2010. "He's a really fun-loving guy and liked to have a good time and a really sweet guy all around," Drake said.
Drake called Jack's research "noble," saying that he chose to go after difficult projects because the outcome could have a major impact on security and safety. Working with embedded systems can be difficult because it's about pulling apart the firmware and digging into closed systems where there isn't much documentation or publicly available source code, Drake said.
"He realized that medical devices could be an area where he could help improve the situation because people's lives are at stake," Drake said.
PUBLISHED JULY 26, 2013