Hacker and computer security researcher Barnaby Jack died last week. I was lucky enough to meet him in 2010 to film footage for the video below explaining his most famous hack, which made ATMs spit out money like jackpotting slot machines. The demonstration took place in Jack’s home at the time, in San Jose. When he opened the door I saw the man himself, friendly and laid back, and the two ATMs he had installed in his kitchen.
See “How to Make an ATM Spew Out Money” for an interactive graphic explaining the ATM hack.
Jack was widely known and liked amongst hackers and security researchers as an impressive technical talent who also knew how to have a good time. Among the many online postings in Jack’s memory last Friday was a tweet from researcher Dan Kaminsky, showing Jack attempting to hack an ATM that dispenses gold bars in an Abu Dhabi hotel. Although the attempt was made with permission of the hotel’s owners, it was abruptly cancelled before he could extract any gold.
Jack’s ATM hack provides a good example of how “white hat” hackers like him operate and advance computer security, despite often being misunderstood. Jack may have relished testing and perhaps breaking rules, and enjoyed putting on showy demonstrations of hacks that could be used in very dangerous or criminal ways. But he was careful to cause no lasting damage worse than the acute embarrassment felt by the people and companies who had designed the technology he bent to his will.
This inside account of how Jack worked with one ATM company to fix its flaws before his headline-grabbing demonstration in 2010 gives an nice insight into the well-known side of his style of working. It’s clear that those at the company would have preferred for the demonstration to have not taken place, but they recognized their problem and welcomed Jack’s help to fix it. The ATM company’s engineer (who coined the term “jackpotting” that Jack adopted to describe money-spewing ATMs) sums it up like this:
“Barnaby got his 15 megabytes of fame, and we improved the security of our product, which I guess is how this ruthless Darwinian process is supposed to work.”
More recently, Jack had focused his attentions to medical devices, inspired by Kevin Fu, an academic researcher MIT Technology Review recognized as a TR35 in 2009 for work on implanted pacemakers and defibrillators. Jack showed in 2011 that a common insulin pump could be wirelessly made to deliver a lethal dose, and then himself turned to pacemakers and defibrillators. He was due to give demonstrations of hacks on heart implants at the Black Hat security conference in Las Vegas this week. Reuters reports that he was to show that one model of pacemaker could be made to deliver a lethal shock to the person it is implanted into from 30 feet away.
In February this year, Jack wrote a detailed analysis of an episode of the TV show Homeland in which the U.S. vice president is killed by an attack on his pacemaker. It was a twist some viewers found hard to believe, but Jack had no such trouble. “In my professional opinion,” he wrote, “the episode was not too far off the mark.”