Security researcher Barnaby Jack was
found dead by a loved one in San Francisco Thursday night. Jack, 36, had been
scheduled to make a presentation at the Black Hat Conference in Las Vegas on Aug. 1 showing how he was able to remotely
shock a pacemaker. The San Francisco police have not released details about the death other than it was “
not foul play.” Survivors include Jack’s mother and sister, who live in his native New Zealand.
Barnaby Jack was known for his showmanship in presenting his tech research. (Isaac Brekken/Associated Press file photo)
Jack made headlines for his showmanship when sharing his research on
security vulnerabilities in digital systems. At the 2010 Black Hat
conference in Las Vegas, he hacked an ATM to spit out $20 bills while
flashing
“JACKPOT.” That work, along with his more recent research on embedded
medical devices, illuminated a new frontier for penetration testing as
more and more electronic devices are becoming able to communicate
wirelessly with the outside world.
The news of Jack’s passing spread through the computer security
community Friday morning, triggering shock and sadness. Organizers at
Black Hat
called
his death the loss of a family member and announced that they won’t be
replacing his pacemaker talk on Thursday. Instead, the hour will remain
open for attendees to come join “a celebration of his life.”
David Marcus, a researcher at the security technology company McAfee,
says that Jack’s work on embedded devices was at the “bleeding edge” of
security research. When Jack worked at McAfee, he turned his attention
to insulin pumps, eventually figuring out how to cause the devices to
erroneously dispense potentially lethal doses of insulin from up to 300
feet away. Carrying on his flair for the dramatic, he
presented
it last year using a clear mannequin torso, red liquid and a handheld
antenna. His most recent work at security firm IOActive Inc focused on
embedded devices, including the pacemaker hack he was to present at the
conference.
“The internet gets hacked all the time.”
The number of devices are being connected to wireless networks is
growing. Security researcher Dan Kaminsky says that pacemakers are a
prime example: They “are not a new technology; they’ve been around for
decades. But more and more pacemakers, like other technology, are
looking like the devices we use to run the Internet.”
That advancement is troubling, he notes, because “the Internet gets
hacked all the time.” The Internet, Kaminsky argues, has been able to
innovate so much partly because “if you screw up nobody dies. Nothing
that bad happens. Someone’s Facebook page is corrupted, oh well, we’ll
fix it. Someone’s computer crashes? Oh well, whatever.”
And according to Kaminsky, nearly everything is moving to the
Internet model because, “it’s easier to maintain, it’s easier to fix,
and all of those other metrics like usability and performance are a heck
of a lot easier to manage when it works like the Internet, not like
hardware from 30 years ago.” But as our
cars, our
houses and, yes, our medical devices are getting shifted into Internet mode, the security stakes are raised.
“If you want these flaws to be dealt with” Kaminsky advises, “you
need to have this community that’s able to say we have many engineering
requirements. Software has to be usable, fast, reliable, and yeah, it
actually has to be secure too.” Especially when talking about connecting
devices that consumers are literally trusting their lives with to a
network. Barnaby Jack’s research spurred companies that built embedded
devices to take security more seriously.
A “hacker’s hacker”
“He was a hacker’s hacker” says McAfee’s Marcus. “He had the kind of
skills the rest of us wish we had.” Jack had a knack for looking at a
system, determining its weaknesses figuring out how to fix them — before
the bad guys did damage.
Marcus laments that some people have misconceptions about hackers
that seem to come straight out of ’90′s movies: “They seem (to) think
it’s some pimple kid in a basement or some evil organization trying to
steal credit card numbers” when many people who consider themselves
hackers would take “true offense” to that stereotype, he says. For
computing security researchers like Barnaby, hacking was a means to
“solve big problems, keep people and data safe” by beating the
adversaries in finding problems.
Jack was well-known in the security world. “Everyone had a drink with
Barnaby, or an ‘I had a good time with Barnaby’ story,” Marcus recalls
of the “just such a likable little imp.” After one conference, he
remembers Jack calling him from across a bar. Marcus joined him for
drinks, throughout which Jack occasionally shot him in the face with
water from a compromised insulin pump while they spoke about ways to
demonstrate the vulnerability.
Similarly, Kaminsky says, “there’s the model of the hacker as the
trickster in literature, and that described (Jack) to a T.” Recalling a
Black Hat conference in Abu Dhabi, he says Jack treated the cultural
briefing of things not to do like a “to do list.”
Barnaby with a gold bar dispensing ATM. (Image from
Twitter)
The one time he could recall seeing Jack spooked was at that
conference, Kaminsky says. The hotel had an ATM that dispensed gold
bars, and one evening, having received permission from the hotel, Jack
tried to see what he could make of it. But, according to what fellow
hacker Tiffany Strauchs Rad
told
Reuters’ Jim Finkle, the hotel didn’t actually own the gold dispensing
machine and the American Embassy had to be called to resolve the
misunderstanding. Afterward, Jack met up with Kaminsky, who missed the
shenanigans because he was riding a camel, eager to share the
excitement.
Kaminsky laughs while recalling the tale, noting “Barnaby’s the kind
of guy who makes you realize your life sounds like a comic book, I mean,
his name is
Barnaby Jack.” After the UAE incident, Kaminsky
recalls, “(t)hose machines were quite disconnected from absolutely
everything until all hackers had left the country, thank you very much.”
“No one likes to hear their kid be called ugly”
Both Marcus and Kaminsky note there is always a certain level of
tension between hackers conducting penetration testing and the
manufacturers and developers creating products and software.Jack was no
exception: “Barnaby had uncomfortable meetings with ATM manufacturers,
medical device manufacturers” Kaminsky says.
That’s understandable to a certain extent, as Marcus jokes, “no one
likes to hear their kid be called ugly.” But, like it or not, Kaminsky
says, ”we are becoming so dependent on these devices that quite
literally our lives depend on them — and they’re literally not learning
the lessons of security that we’ve had to learn painfully in desktops
and laptops.”
Kaminsky says “there are a lot of engineers who wish security
vulnerabilities were theoretical” or would like an excuse to argue “no
one would actually do that.” But Jack’s flashy exploits helped drive
home that, yes, someone would actually do it — and that if Jack could
figure out how, it’s likely potential bad guys could, too.
“There are a lot of people in this world who if they find a bug that
will make an ATM fire $20 bills, they’re not going to go onstage and
talk about it, they’re going to be standing in front of ATM and cashing
themselves out,” adds Kaminsky.
Penetration testing can find bugs early, allowing companies to fix
them. Or, Kaminsky says, some guy out there is going to find the problem
later, and the publisher or manufacturer is going to have a bad day.
It’s also cheaper to make the fixes ahead of the game. Kaminsky knows a
little bit about this: In 2008 he
uncovered
a DNS protocol flaw that he jokes resulted in “tens of thousands of
pizza boxes” being ordered over the six-month period it took for
administrators to patch their systems.
Working to make the digital world a safer place, he says, is “a much
harder path, but that’s what it takes.” The easier path can be to sell
the exploits to the highest bidder — with major, zero-day research
earning huge payouts from state and corporate stakeholders. Last year,
Forbes’ Andy Greenberg
reported on a middleman who helps hackers hoping to go this route. The man, who goes by the handle “
the Grugq,”
was said to be earning a 15 percent commission on financial
deals, primarily made with Western governments, ranging into the the
hundreds of thousands of dollars for major flaws .
The DNS flaw served as a good reminder of security’s uphill battle.
Catching a bug is only part of the process — researchers also need to
resolve the problem while ensuring the program still functions as
intended. Because there’s a only a select group of people with the
ability and skills necessary to do the job, it often puts hackers in a
unique position of critiquing products from the outside.
Kaminsky suggests the work is somewhat analogous to environmentalists
approaching a power plant about an air quality problem, adding that
just like ”no one wants to breath polluted air, no one wants a pacemaker
that will blow up on you.”
Jack believed “(w)e can’t taking this loosey-goosey, sloppy crap we
use to make Web pages work and not be aware of what happens if we start
betting our lives on it,” according to Kaminsky. And Jack’s
news-catching way of presenting those flaws was a way to guarantee that
creators took notice.
After all, Kaminsky says, “Barnaby wasn’t the only person in the
world who was hacking these devices; he was just one of the few who
would talk to you.” Beyond being a personal tragedy, his death meant the
loss of one of the security community’s’ “major ambassadors to the
embedded world about the need for real security.”
“It’s easy to be inspired by a guy that hacked like Barnaby”
“He really made me laugh, I think I’ll miss that the most,” Kaminsky
says later, his voice dropping. The day the news broke he was sharing
tales about Jack with another security researcher friend. They joked
that if anyone would fake their death to make for a big reveal at a
conference, it was the guy they nicknamed Barns. But now they have to
face that it’s no joke; Jack was gone.
As far as his legacy in computer security, some part of it will be
the acknowledgement that with embedded device technology flaws, “if we
don’t deal with this problem, it’s certainly going to deal with us,”
Kaminsky says.
Marcus feels most sorry for Jack’s family as they and the computer
security community mourn the lose of their prankster brother. But he
also hopes Jack’s memory can inspire future researchers “to hack on to
their own greatness.
“It’s easy,” he says, “to be inspired by a guy that hacked like Barnaby.”