Barnaby Jack

Early Life

Barnaby Michael Douglas Jack was born on 22 November 1977 in New Zealand. Details of his early life and education are not widely documented in public sources.

Career

Jack built a reputation as one of the most technically skilled and publicly visible security researchers of his generation, with a focus on embedded systems and hardware security. At the time of his death, he held the position of Director of Embedded Device Security at IOActive, a professional security services firm. Prior to that role, he worked at McAfee Security, where he conducted some of his most consequential research into medical device vulnerabilities.

Notable Work

ATM Jackpotting

Jack is perhaps most widely recognized for his 2010 presentation at the Black Hat computer security conference, in which he demonstrated a technique he called "jackpotting" — causing ATMs to dispense cash without the use of a bank card or legitimate account withdrawal. He demonstrated two distinct attack vectors: one requiring physical access to the machine, in which a flash drive loaded with malware was used to gain unauthorized control over the currency dispensing mechanism, and a second fully remote attack that exploited vulnerabilities in ATM remote management systems, including the use of default passwords and exposed TCP ports. In both cases, malware was injected into the ATM's operating system, enabling the attacker to command the machine to dispense currency on demand.

Insulin Pump Vulnerabilities

In October 2011, while working for McAfee Security, Jack presented his research on wireless insulin pump security at the McAfee FOCUS 11 conference in Las Vegas. Using a high-gain antenna, he demonstrated that he could gain complete control of insulin pumps without prior knowledge of their serial numbers. In a live demonstration, he caused a pump to repeatedly deliver its maximum dose of 25 units until its full 300-unit reservoir was exhausted — a quantity representing many times a lethal dose for a typical patient. He extended this demonstration at the RSA Security Conference in San Francisco in February 2012, showing that the attack could be executed wirelessly from a distance of up to 90 meters.

Pacemaker Vulnerabilities

Also in 2012, Jack demonstrated the ability to deliver a potentially fatal electric shock to a pacemaker wearer by exploiting wireless vulnerabilities in the device. He gave a live demonstration of this attack at the BreakPoint security conference in Melbourne. He subsequently developed software capable of remotely sending an electric shock to anyone wearing a compatible pacemaker within a 50-foot radius. At the time of his death, Jack was preparing to present further research on heart implant vulnerabilities at the Black Hat 2013 conference in Las Vegas.

Recognition and Influence

Jack's research had measurable real-world impact. In 2012, his testimony before relevant authorities contributed to the United States Food and Drug Administration revising its regulations concerning wireless medical devices. He was widely regarded among industry professionals as a significant influence in both the medical device and financial security fields. Black Hat general manager Trey Ford described Jack's life and work as "legendary and irreplaceable" following his death.

Death

Jack was found dead in a San Francisco apartment on 25 July 2013, discovered by his girlfriend. The coroner's report determined that he died of an overdose involving heroin, cocaine, Benadryl, and Xanax. He was 35 years old. His scheduled presentation at the Black Hat 2013 conference was not filled by another speaker, a decision made in recognition of his contributions to the field.