Barnaby Michael Douglas Jack (22 November 1977 – 25 July 2013) was a New Zealand

hacker A hacker is a person skilled in information technology who uses their technical knowledge to achieve a goal or overcome an obstacle, within a computerized system by non-standard means. Though the term ''hacker'' has become associated in popu ...

, programmer and

computer security Computer security, cybersecurity (cyber security), or information technology security (IT security) is the protection of computer systems and networks from attack by malicious actors that may result in unauthorized information disclosure, t ...

expert. He was known for his presentation at the

Black Hat Black hat, blackhats, or black-hat refers to: Arts, entertainment, and media * Black hat (computer security), a hacker who violates computer security for little reason beyond maliciousness or for personal gain * Black hat, part of black and whit ...

computer security conference A computer security conference is a convention for individuals involved in computer security. They generally serve as meeting places for system and network administrators, hackers, and computer security experts. Events Common activities at hacke ...

in 2010, during which he exploited two ATMs and made them dispense fake paper currency on the stage. Among his other most notable works were the exploitation of various

medical device A medical device is any device intended to be used for medical purposes. Significant potential for hazards are inherent when using a device for medical purposes and thus medical devices must be proved safe and effective with reasonable assura ...

s, including pacemakers and

insulin pump An insulin pump is a medical device used for the administration of insulin in the treatment of diabetes mellitus, also known as continuous subcutaneous insulin therapy. The device configuration may vary depending on design. A traditional pump ...

s. Jack was renowned among industry experts for his influence in the medical and financial security fields. In 2012 his testimony led the United States Food And Drug Administration to change regulations regarding wireless medical devices. At the time of his death, Jack was the Director of Embedded Device Security at IOActive.

"Jackpotting" ATMs

At a

conference in 2010, Jack gave a

presentation A presentation conveys information from a speaker to an audience. Presentations are typically demonstrations, introduction, lecture, or speech meant to inform, persuade, inspire, motivate, build goodwill, or present a new idea/product. Presenta ...

on "jackpotting", or causing

automated teller machine An automated teller machine (ATM) or cash machine (in British English) is an electronic telecommunications device that enables customers of financial institutions to perform financial transactions, such as cash withdrawals, deposits, fun ...

s to dispense

cash In economics, cash is money in the physical form of currency, such as banknotes and coins. In bookkeeping and financial accounting, cash is current assets comprising currency or currency equivalents that can be accessed immediately or near-im ...

without withdrawing it from a

bank account A bank account is a financial account maintained by a bank or other financial institution in which the financial transactions between the bank and a customer are recorded. Each financial institution sets the terms and conditions for each type of ...

using a

bank card A bank card is typically a plastic card issued by a bank to its clients that performs one or more of a number of services that relate to giving the client access to bank account. Physically, a bank card will usually have the client's name, the ...

. The scenario was first described in fiction in the 1995

cyberpunk Cyberpunk is a subgenre of science fiction in a dystopian futuristic setting that tends to focus on a "combination of lowlife and high tech", featuring futuristic technological and scientific achievements, such as artificial intelligence and c ...

movie ''

Hackers A hacker is a person skilled in information technology who uses their technical knowledge to achieve a goal or overcome an obstacle, within a computerized system by non-standard means. Though the term ''hacker'' has become associated in popu ...

''. Jack gave demonstrations of different kinds of attacks involving both

physical access Physical access is a term in computer security that refers to the ability of people to physically gain access to a computer system. According to Gregory White, "Given physical access to an office, the knowledgeable attacker will quickly be able to ...

to the machines and completely automated remote attacks. In both cases, malware was injected into the operating system of the machines, causing them to dispense currency fraudulently on the attacker's command. During the physical attack on an

(ATM) as demonstrated by Jack, the attacker takes advantage of their physical access to the target machine and uses a flash drive loaded with malware to gain unauthorised access to the machines allowing control over their currency dispensing mechanism. During the remote attack, malware is installed onto the target system via exploited vulnerabilities in the remote management system, most notably the use of default passwords and remote management

TCP port In computer networking, a port is a number assigned to uniquely identify a connection endpoint and to direct data to a specific service. At the software level, within an operating system, a port is a logical construct that identifies a specific ...

s. The attacker then executes the malware, causing the target ATM to dispense currency.

Insulin pumps

At th
McAfee FOCUS 11
conference in October 2011 in Las Vegas, while working for McAfee Security, Jack first demonstrated the wireless hacking of insulin pumps, one worn by a diabetic friend and another of the same model on a bench set up for demonstration. Interfacing with the pumps with a high-gain antenna, he obtained complete control of the pumps without any prior knowledge of their serial numbers, up to being able to cause the demonstration pump to repeatedly deliver its maximum dose of 25 units until its entire reservoir of 300 units was depleted, amounting to many times a lethal dose if delivered to a typical patient. At the RSA Security Conference in San Francisco in February 2012, using a transparent mannequin he demonstrated that he could wirelessly hack the insulin pump from a distance of up to 90 metres using the high-gain antenna.

Pacemakers

In 2012 Jack demonstrated the ability to assassinate a victim by hacking their pacemaker. This scenario was first explored in fiction on the TV series ''

Homeland A homeland is a place where a cultural, national, or racial identity has formed. The definition can also mean simply one's country of birth. When used as a proper noun, the Homeland, as well as its equivalents in other languages, often has ethn ...

''. In his blog post "Broken Hearts", Jack wrote that the hack was even easier than portrayed: "TV is so ridiculous! You don't need a serial number!" Jack demonstrated delivering such a deadly electric shock live at the 2012 BreakPoint security conference in Melbourne. In the game

Watch Dogs ''Watch Dogs'' (stylized as ''WATCH_DOGS'') is an action-adventure video game franchise published by Ubisoft, and developed primarily by its Montreal and Toronto studios using the Disrupt game engine. The series' eponymous first title was rel ...

, a similar hack is shown by

black hat Black hat, blackhats, or black-hat refers to: Arts, entertainment, and media * Black hat (computer security), a hacker who violates computer security for little reason beyond maliciousness or for personal gain * Black hat, part of black and whit ...

Aiden Pearce in killing one of the main antagonists.

Heart implants

Jack died a week before he was to give a presentation on hacking heart implants at the

2013 conference scheduled to be held in

Las Vegas Las Vegas (; Spanish for "The Meadows"), often known simply as Vegas, is the 25th-most populous city in the United States, the most populous city in the state of Nevada, and the county seat of Clark County. The city anchors the Las Vegas ...

. In a June 2013 interview with Vice, Jack outlined his presentation:

Barnaby Jack, the director of embedded device security for computer security firm IOActive, developed software that allowed him to remotely send an electric shock to anyone wearing a pacemaker within a 50-foot radius. He also came up with a system that scans for any
insulin pump An insulin pump is a medical device used for the administration of insulin in the treatment of diabetes mellitus, also known as continuous subcutaneous insulin therapy. The device configuration may vary depending on design. A traditional pump ...
s that communicate wirelessly within 300 feet, allows you to hack into them without needing to know the identification numbers and then sets them to dish out more or less insulin than necessary, sending patients into hypoglycemic shock quickly if excessive insulin was dispensed or
ketoacidosis Ketoacidosis is a metabolic state caused by uncontrolled production of ketone bodies that cause a metabolic acidosis. While ketosis refers to any elevation of blood ketones, ketoacidosis is a specific pathologic condition that results in changes ...
if not enough insulin was dispensed over a period of time.

In his presentation, Jack was set to outline vulnerabilities in various

s, as well as give safe demonstrations of attacks with which there is "certainly a potential health risk".

Death

Jack was found dead in a San Francisco apartment on 25 July 2013 by his girlfriend. According to the coroner's report, Jack died of an overdose of heroin,

cocaine Cocaine (from , from , ultimately from Quechua: ''kúka'') is a central nervous system (CNS) stimulant mainly used recreationally for its euphoric effects. It is primarily obtained from the leaves of two Coca species native to South Ameri ...

Benadryl Benadryl is a brand of various antihistamine medications used to stop allergies, whose content varies in different countries, but which includes some combination of diphenhydramine, acrivastine, and/or cetirizine. It is sold by Johnson & Joh ...

and

Xanax Alprazolam, sold under the brand name Xanax, among others, is a fast-acting, potent tranquilizer of medium duration in the triazolobenzodiazepine (TBZD) class, which are benzodiazepines (BZDs) fused with a triazole ring. It is most commonly ...

. He was 35 years old. At the time of his death, he was due to attend a

Black Hat Briefings Black Hat Briefings (commonly referred to as Black Hat) is a computer security conference that provides security consulting, training, and briefings to hackers, corporations, and government agencies around the world. Black Hat brings together ...

hacking conference in Las Vegas. Black Hat general manager Trey Ford, said "Everyone would agree that the life and work of Barnaby Jack are legendary and irreplaceable", and announced his spot would not be replaced at the conference.

In popular culture

Barnaby Jack's "Jackpotting" technique of an ATM and multiple ATMs being hacked and forced to spit out any amount of cash triggered by a number of events all described in Jack's 2010 Black Hat presentation, was used as the plot line in the 20th of December 2015 episode of series 2 of the

CBS CBS Broadcasting Inc., commonly shortened to CBS, the abbreviation of its former legal name Columbia Broadcasting System, is an American commercial broadcast television and radio network serving as the flagship property of the CBS Entertainm ...

crime drama '' CSI: Cyber''. Apart from showing the hack in use and explaining how it works, the episode also included other nods to Barnaby Jack and his work including naming the hacked bank "Barnaby Bank". The CSI spinoff focused on a team of FBI agents and ex-blackhat hackers working to stop various cyber threats across the US.

References

{{DEFAULTSORT:Jack, Barnaby 2013 deaths New Zealand computer specialists Computer security specialists 1977 births Drug-related deaths in California