July 26, 2013
Security researcher Barnaby Jack has passed away in San Francisco, only days before a scheduled appearance at a Las Vegas hacker conference where he intended to show how an ordinary pacemaker could be compromised in order to kill a man.
Jack, who previously presented hacks involving ATMs and insulin pumps at the annual Black Hat conference in Vegas, was confirmed dead Friday morning by the San Francisco Medical Examiner’s office, Reuters reported. He passed away Thursday this week, but the office declined to offer any more details at this time.
Jack’s death came one week to the day before he was scheduled to detail one of his most recent exploits in a Black Hat talk called “Implantable Medical Devices: Hacking Humans.”
“I was intrigued by the fact that these critical life devices communicate wirelessly. I decided to look at pacemakers and ICDs (implantable cardioverter defibrillators) to see if they communicated securely and if it would be possible for an attacker to remotely control these devices,” Jack told Vice last month.
After around six months of research, Jack said he developed a way to hack one of those devices remotely and send it a high-voltage shock from upwards of 50 feet away.
“If the devices can be accessed remotely, there’s always a potential for abuse,” he told Vice tech reporter William Alexander.
In a blog post earlier this year, Jack said he was influenced by a recent episode of the television program “Homeland,” in which a terrorist remotely hacked the pacemaker of the United States vice president.
“In my professional opinion, the episode was not too far off the mark,” he wrote.
When Alexander asked Jack if a government official outfitted with a pacemaker would be vulnerable to assassination from a hacker, the researcher remarked, “I wouldn’t feel comfortable speculating about such a scenario.”
“Although the threat of a malicious attack to anyone with an implantable device is slim, we want to mitigate these risks no matter how minor,” he wrote on his blog post. At the time, Jack said the vulnerability was being discussed with medical device manufacturers.
“Over the past year, we’ve become increasingly aware of cyber security vulnerabilities in incidents that have been reported to us,” William Maisel, deputy director for science at the FDA’s Center for Devices and Radiological Health, told Reuters . “Hundreds of medical devices have been affected, involving dozens of manufacturers.”
At previous Black Hat talks, Jack detailed how he emulated a stunt found in the movie Terminator 2 that allowed him to remotely hack an automatic teller machine. In addition to being able to read credit card numbers and PINs inputted by another user, Jack also showed how a USB drive could be implanted in an ATM which would override the machine’s firmware and allow a hacker to take control.
In another presentation, Jack said he could hack insulin pumps to order the machines to deliver lethal doses to patients, in turn killing them.
“We notified the manufacturer of the vulnerability and it will be fixed with the next insulin pump revision,” he told Vice.
Jack’s most recent employer, security firm IOActive, said in a statement, “Lost but never forgotten our beloved pirate, Barnaby Jack has passed. He was a master hacker and dear friend. Here’s to you Barnes!”
Black Hat is scheduled to begin Wednesday in Las Vegas, with a presentation by NSA Chief Gen. Keith Alexander. It will be immediately followed by the Def Con hacker conference, which will be taking place just down the road. Researchers at Def Con plan to demonstrate various high-profile hacks, including how modern cars can be compromised.