Life and times of a celebrated hacker

By Andrew Stone

Self-taught Kiwi computer whiz Barnaby Jack became a US cyber-star after he found security flaws in high-tech equipment. Andrew Stone looks at his too-brief career

Barnaby Jack stunned a Las Vegas computer security convention when he made an ATM machine disgorge its contents with a few hacking instructions. Photo / Dan Tentler
Barnaby Jack stunned a Las Vegas computer security convention when he made an ATM machine disgorge its contents with a few hacking instructions. Photo / Dan Tentler

Obituary: Barnaby Michael Douglas Jack (1977-2013)

Superstar computer hacker Barnaby Jack had a spectacular party trick.

He could make an ATM machine cough up its contents until not a note remained inside its tough, steel skin.

In Las Vegas yesterday - the same city where he unveiled his cash-flow caper - the clever New Zealander was to unveil another feat of technological wizardry. This time his genius had a deadly tweak. Jack had a slot at a showcase industry gathering to demonstrate how he could evade the best security and fatally hack into humans fitted with pacemakers or heart defibrillators simply by using a smartphone from 10m away.

His work, he firmly believed, had a noble intent. He wanted to expose flaws in the medical technology so the devices could be fixed before patients suffered harm.

The conference went ahead, but without Jack.

The 35-year-old died last week in circumstances which have yet to be disclosed. His body was found at his San Francisco apartment in the city's Nob Hill area. The San Francisco medical examiner's office has said it could be several months before the cause of Jack's death is released, a delay which has been filled by internet conspiracies speculating that the talented "white hat hacker" was the target of dark corporate deeds.

The wild chatter was driven partly by the field in which Jack excelled. Besides cracking the codes of ATMs and pacemakers, Jack achieved a celebrated breakthrough when he got into insulin pump technology and made a device flood a see-through mannequin with a fatal dose. Tens of thousands of Americans wear tiny electronic gadgets on their belts to deliver measured amounts of the life-saving hormone. At the time on Twitter, Jack wrote there was "no limit to insulin I can deliver".

His insulin discovery caused a stir with critics arguing it would prompt malicious hackers to replicate Jack's work and try and mess with pumps. But Jack was always very cautious when he performed for technophiles, obscuring the sensitive details of his work and pleading with audiences not to take snaps with their smartphones.

In a blog he wrote in February on the website of his employer, Jack said his research was not intended to make people wary of medical devices or encourage real-world attacks. He wanted manufacturers to rectify potentially fatal faults in their equipment because they didn't anticipate savvy technicians figuring out what was going inside their smart boxes.

Interviewed by Bloomberg, Jack said:"These are computers that are just as exploitable as your PC or Mac, but they're not looked at as often. When you actually look at these devices, the security vulnerabilities are quite shocking."

On the social news website Reddit, Jack's endeavours and his untimely death were enough to promote sceptical chatter, much of it aimed at Washington.

"The CIA didn't want the competition," posted one user, claiming that government officials didn't want Jack to expose pacemaker security flaws because they planned to exploit them against political opponents.

One post said: "Must be yet another coincidence. Nothing to see here, people. Out of curiosity, how many politicians have these implants?"

This was reference to an episode in season two of the TV drama Homeland, when the pacemaker of Vice-President William Walden (played by Jamey Sheridan) was hacked by a terrorist. Jack watched the show and wondered how close Hollywood was to reality.

Pretty close, he concluded: "In the future, a scenario like this could certainly become a reality."

Police in San Francisco say that no foul play was suspected in Jack's death.

In Auckland, his sister Amberleigh, 32, said: "Barnes [the name she and friends used to refer to her brother] used to say these things have these flaws and they're not going to be fixed until someone like me says this needs to be done."

Amberleigh said her brother was always fiddling with computers and electronics. His San Francisco apartment was filled with the innards of machines. When he came back to New Zealand to visit, he'd leave behind printed circuits and discarded drives.

As a boy, she recalled, he had dismantled his father Michael's computer to see how it worked. Years later he did much the same for her when her machine packed up.

"I was trying to work out how to get a new one. He said 'I'll just build you one' and that night I had a new computer."

That curiosity prompted him to find a way into the cash machines. Living in San Jose, in the heart of Silicon Valley, Jack bought a couple of ATMs off the internet and had them delivered to his apartment.

Interviewed in 2010 about the purchases, Jack recalled: "So the guy, he wheels in this ATM, and he's like, 'Why on earth do you need an ATM in your house?' And I'm like, 'Oh, I just don't like the transaction fees, mate'."

He tried the trick on a trip to the Gulf. At a casino in Abu Dhabi, the hotel manager let Jack work his magic - 'Jackpotting' he called it - on a cash machine. But the gold-coloured ATM was not hotel property. The American Embassy was called in to resolve the misunderstanding.

Educated at Selwyn College, Barnaby Jack worked from New Zealand for an American computer firm before moving to the US 10 years ago. Everything he knew about computers, their software and their shortcomings was self-taught.

"He'd read textbooks," Amberleigh Jack said, but mostly he just had a gift for understanding what made computers work.

She said he was humble about his talents. "You never knew what was going on in his head".

Their mother recalled a similar remark about her son at a parent-teacher evening: "The teacher said, 'Well, that's where he sits physically; his mind, I've got no idea'."

Jack did not relish the limelight or celebrity that came with his exploits. "He wanted to find the stuff and fix it. He gave the talks because it needed to be done. He gave a bit of press because he had to."

She felt he had inherited some of his personality from their late father, a broadcaster who was once a Radio Hauraki "pirate". Their mother, Sammi, a former nurse, is a healthcare manager.

The Jack siblings were close. Amberleigh said she drove all over Auckland with her brother - he never learned to use a car - collecting food dyes he used for his startling insulin experiment.

The insulin work prompted the medical device maker Medtronic Inc to renew their product designs and was recognised by the US Government.

William Maisel, deputy director for science at the Food and Drug Administration's Centre for Devices and Radiological Health, said: "The work that Barnaby Jack and others have done to highlight some of these vulnerabilities has contributed importantly to progress in the field."

In San Francisco, Jack worked as a professional hacker for McAfee, a security-software company, and a string of firms in the electronic security industry for more than a decade.

At McAfee, despite not owning a car, Jack was part of a team which hacked on-board computers in vehicles, to stay one step ahead of enterprising tech-heads who tried to work around embedded processors.

He was working for IOActive, another computer security company, at the time of his death. His latest software project had the scary name "Electric Feel". The idea was to scan for medical devices in crowds and, with no more than a right-click, get them to behave the way you want.

"It's not hard to see why this is a fairly deadly feature," Jack told a conference last year.

Armed with a smartphone, a hacker could not just deliver a lethal zap, but administer shocks on loop. In the wrong hands, the potential was there, he admitted, "to commit mass murder".

In all the work he did, Jack was careful not to let hackers in on his secrets, saying he worked on the "good side of the fence". His mother, he told a magazine, "wouldn't like it if I was in jail".

In Las Vegas yesterday, Jack's place in the programme at the Black Hat security conference remained unfilled, so his friends from the cyber world could celebrate his life and achievements.

His employer posted on Twitter: "Lost but never forgotten our beloved pirate Barnaby Jack."


Jack the white hat

Barnaby Jack was known in the hacking world as a "white hat". This placed him in a different part of the hacking spectrum from the grey and black-hatted hackers. Black is shorthand for illegal hacking practices, whereas grey signals activities which sit on the cusp of legality. White is a flag for someone who hacks for good. Jack insisted his career was all about researching and manipulating exploits in devices for companies, in an effort to make their products safer and more secure.

- NZ Herald

© Copyright 2014, APN New Zealand Limited

Assembled by: (static) on red akl_a4 at 16 Sep 2014 16:03:37 Processing Time: 896ms