Barnaby Jack
   HOME

TheInfoList



OR:

Barnaby Michael Douglas Jack (22 November 1977 – 25 July 2013) was a New Zealand
hacker A hacker is a person skilled in information technology who achieves goals and solves problems by non-standard means. The term has become associated in popular culture with a security hackersomeone with knowledge of bug (computing), bugs or exp ...
,
programmer A programmer, computer programmer or coder is an author of computer source code someone with skill in computer programming. The professional titles Software development, ''software developer'' and Software engineering, ''software engineer' ...
and
computer security Computer security (also cybersecurity, digital security, or information technology (IT) security) is a subdiscipline within the field of information security. It consists of the protection of computer software, systems and computer network, n ...
expert. He was known for his presentation at the Black Hat
computer security conference A computer security conference is a convention for individuals involved in computer security. They generally serve as meeting places for system and network administrators, hackers, and computer security experts. Common activities at hacker conven ...
in 2010, during which he exploited two ATMs and made them dispense fake paper currency on the stage. Among his other most notable works were the exploitation of various
medical device A medical device is any device intended to be used for medical purposes. Significant potential for hazards are inherent when using a device for medical purposes and thus medical devices must be proved safe and effective with reasonable assura ...
s, including
pacemaker A pacemaker, also known as an artificial cardiac pacemaker, is an implanted medical device that generates electrical pulses delivered by electrodes to one or more of the chambers of the heart. Each pulse causes the targeted chamber(s) to co ...
s and
insulin pump An insulin pump is a medical device used for the administration of insulin in the treatment of diabetes mellitus, also known as continuous Subcutaneous tissue, subcutaneous insulin therapy. The device configuration may vary depending on desig ...
s. Jack was known among industry experts for his influence in the medical and financial security fields. In 2012 his testimony led the United States Food And Drug Administration to change regulations regarding wireless medical devices. At the time of his death, Jack was Director of Embedded Device Security at IOActive.


Security research


ATMs

At a Black Hat
conference A conference is a meeting, often lasting a few days, which is organized on a particular subject, or to bring together people who have a common interest. Conferences can be used as a form of group decision-making, although discussion, not always d ...
in 2010, Jack gave a
presentation A presentation conveys information from a speaker to an audience. Presentations are typically demonstrations, introduction, lecture, or speech meant to inform, persuade, inspire, motivate, build goodwill, or present a new idea/product. Presenta ...
on "jackpotting", or causing
automated teller machine An automated teller machine (ATM) is an electronic telecommunications device that enables customers of financial institutions to perform financial transactions, such as cash withdrawals, deposits, funds transfers, balance inquiries or account ...
s to dispense
cash In economics, cash is money in the physical form of currency, such as banknotes and coins. In book-keeping and financial accounting, cash is current assets comprising currency or currency equivalents that can be accessed immediately or near-i ...
without withdrawing it from a
bank account A bank account is a financial account maintained by a bank or other financial institution in which the financial transaction A financial transaction is an Contract, agreement, or communication, between a buyer and seller to exchange goods, ...
using a
bank card A bank card is typically a plastic card issued by a bank to its clients that performs one or more of a number of services that relate to giving the client access to a bank account. Physically, a bank card will usually have the client's name, th ...
. The scenario was first described in fiction in the 1995
cult Cults are social groups which have unusual, and often extreme, religious, spiritual, or philosophical beliefs and rituals. Extreme devotion to a particular person, object, or goal is another characteristic often ascribed to cults. The term ...
movie ''
Hackers A hacker is a person skilled in information technology who achieves goals and solves problems by non-standard means. The term has become associated in popular culture with a security hackersomeone with knowledge of bugs or exploits to break ...
''. Jack gave demonstrations of different kinds of attacks involving both physical access to the machines and completely automated remote attacks. In both cases, malware was injected into the operating system of the machines, causing them to dispense currency fraudulently on the attacker's command. During the physical attack on an
automated teller machine An automated teller machine (ATM) is an electronic telecommunications device that enables customers of financial institutions to perform financial transactions, such as cash withdrawals, deposits, funds transfers, balance inquiries or account ...
(ATM) as demonstrated by Jack, the attacker takes advantage of their physical access to the target machine and uses a flash drive loaded with malware to gain unauthorised access to the machines allowing control over their currency dispensing mechanism. During the remote attack,
malware Malware (a portmanteau of ''malicious software'')Tahir, R. (2018)A study on malware and malware detection techniques . ''International Journal of Education and Management Engineering'', ''8''(2), 20. is any software intentionally designed to caus ...
is installed onto the target system via exploited vulnerabilities in the remote management system, most notably the use of default passwords and remote management TCP ports. The attacker then executes the malware, causing the target ATM to dispense currency.


Medical equipment

At the McAfee FOCUS 11 conference in October 2011 in
Las Vegas Las Vegas, colloquially referred to as Vegas, is the most populous city in the U.S. state of Nevada and the county seat of Clark County. The Las Vegas Valley metropolitan area is the largest within the greater Mojave Desert, and second-l ...
, while working for McAfee Security, Jack first demonstrated the wireless hacking of insulin pumps, one worn by a diabetic friend and another of the same model on a bench set up for demonstration. Interfacing with the pumps with a high-gain antenna, he obtained complete control of the pumps without any prior knowledge of their serial numbers, up to being able to cause the demonstration pump to repeatedly deliver its maximum dose of 25 units until its entire reservoir of 300 units was depleted, amounting to many times a lethal dose if delivered to a typical patient. At the RSA Security Conference in
San Francisco San Francisco, officially the City and County of San Francisco, is a commercial, Financial District, San Francisco, financial, and Culture of San Francisco, cultural center of Northern California. With a population of 827,526 residents as of ...
in February 2012, using a transparent mannequin he demonstrated that he could wirelessly hack the insulin pump from a distance of up to 90 metres using the high-gain antenna. In 2012, Jack demonstrated the ability to assassinate a victim by hacking their
pacemaker A pacemaker, also known as an artificial cardiac pacemaker, is an implanted medical device that generates electrical pulses delivered by electrodes to one or more of the chambers of the heart. Each pulse causes the targeted chamber(s) to co ...
. Jack demonstrated delivering such a deadly electric shock live at the 2012 BreakPoint security conference in Melbourne. Jack died a week before he was to give a presentation on hacking heart implants at the Black Hat 2013 conference scheduled to be held in
Las Vegas Las Vegas, colloquially referred to as Vegas, is the most populous city in the U.S. state of Nevada and the county seat of Clark County. The Las Vegas Valley metropolitan area is the largest within the greater Mojave Desert, and second-l ...
. In a June 2013 interview with Vice, Jack outlined his presentation:
Barnaby Jack, the director of embedded device security for computer security firm IOActive, developed software that allowed him to remotely send an electric shock to anyone wearing a
pacemaker A pacemaker, also known as an artificial cardiac pacemaker, is an implanted medical device that generates electrical pulses delivered by electrodes to one or more of the chambers of the heart. Each pulse causes the targeted chamber(s) to co ...
within a 50-foot radius. He also came up with a system that scans for any
insulin pump An insulin pump is a medical device used for the administration of insulin in the treatment of diabetes mellitus, also known as continuous Subcutaneous tissue, subcutaneous insulin therapy. The device configuration may vary depending on desig ...
s that communicate wirelessly within 300 feet, allows you to hack into them without needing to know the identification numbers and then sets them to dish out more or less
insulin Insulin (, from Latin ''insula'', 'island') is a peptide hormone produced by beta cells of the pancreatic islets encoded in humans by the insulin (''INS)'' gene. It is the main Anabolism, anabolic hormone of the body. It regulates the metabol ...
than necessary, sending patients into hypoglycemic shock quickly if excessive insulin was dispensed or
ketoacidosis Ketoacidosis is a metabolic state caused by uncontrolled production of ketone bodies that cause a metabolic acidosis. While ketosis refers to any elevation of blood ketones, ketoacidosis is a specific pathologic condition that results in changes i ...
if not enough insulin was dispensed over a period of time.
In his presentation, Jack was set to outline vulnerabilities in various
medical device A medical device is any device intended to be used for medical purposes. Significant potential for hazards are inherent when using a device for medical purposes and thus medical devices must be proved safe and effective with reasonable assura ...
s, as well as give safe demonstrations of attacks with which there is "certainly a potential health risk".


Death

Jack was found dead in a
San Francisco San Francisco, officially the City and County of San Francisco, is a commercial, Financial District, San Francisco, financial, and Culture of San Francisco, cultural center of Northern California. With a population of 827,526 residents as of ...
apartment on 25 July 2013 by his girlfriend. According to the coroner's report, Jack died of an overdose of
heroin Heroin, also known as diacetylmorphine and diamorphine among other names, is a morphinan opioid substance synthesized from the Opium, dried latex of the Papaver somniferum, opium poppy; it is mainly used as a recreational drug for its eupho ...
,
cocaine Cocaine is a tropane alkaloid and central nervous system stimulant, derived primarily from the leaves of two South American coca plants, ''Erythroxylum coca'' and ''Erythroxylum novogranatense, E. novogranatense'', which are cultivated a ...
,
Benadryl Benadryl is a brand of various antihistamine medications used to stop allergy, allergies, whose content varies in different countries, but which includes some combination of diphenhydramine, acrivastine, or cetirizine. It is sold by Kenvue and ...
and
Xanax Alprazolam, sold under the brand name Xanax among others, is a fast-acting, potent tranquilizer of moderate duration within the triazolobenzodiazepine group of chemicals called benzodiazepines. Alprazolam is most commonly prescribed in the ...
. He was 35 years old. At the time of his death, he was due to attend a
Black Hat Briefings Black Hat Briefings (commonly referred to as Black Hat) is a computer security conference that provides security consulting, training, and briefings to hackers, corporations, and government agencies around the world. Black Hat brings together ...
hacking conference in Las Vegas. Black Hat general manager Trey Ford, said "Everyone would agree that the life and work of Barnaby Jack are legendary and irreplaceable", and announced his spot would not be replaced at the conference.


References

{{DEFAULTSORT:Jack, Barnaby 2013 deaths New Zealand computer specialists Computer security specialists 1977 births Drug-related deaths in California Deaths attributed to Xanax overdose People from Auckland