The Enduring Influence of Device Hacker Barnaby Jack

Barnaby Jack was one of the most influential hackers in the world, and his influence is still felt in the medical device space. Scheduled to speak at this week's Black Hat security conference, Jack planned on delivering a talk called "Implantable Medical Devices: Hacking Human" at the Black Hat conference in Las Vegas, which would detail a pacemaker hack he had discovered. 

One of Jack's most famous stunts was to hack automated-teller machines. At Black Hat in 2010, he demonstrated his prowess in hacking two ATMs, forcing them to dispense all of the cash held inside. He managed to pull off that feat by finding a way to bypass a series of password prompts, uploading custom software onto the machines, enabling him to remotely dispense cash and capture account details. This and other feats drew standing ovations from crowds, who applauded his creativity and deep knowledge of embedded devices. 

Jack, along with Jay Radcliffe and Kevin Fu, was also one of the most prominent hackers of medical devices. While their work has been criticized for scaring patients away from potentially life-saving devices, their intent is to ultimately make those devices safer. In any case, medical device hackers like Jack have helped bring widespread attention to the subject of medical device hacking, which has resulted in mainstream media coverage and eventually, greater scrutiny from FDA. In June, the agency released guidance titled "FDA Safety Communication: Cybersecurity for Medical Devices and Hospital Networks." 

CDRH's deputy director of science, William Maisel, also acknowledged Jack's work highlighting medical device security vulnerabilities, "contribut[ing] importantly to progress in the field." 

In a way, Barnaby's hacking of ATMs and medical devices were similar. Both were previously undiscovered exploits of common devices with significant implications. By contrast, most Internet hacks are relatively innocuous. After hacking ATMs, he referred to it as "the first time that this type of attack has been publicly released." "You have to release these attacks to raise awareness," he said. His talks also included advice on how to think like a hacker, hopefully always staying one step ahead of them. 

His rationale for hacking medical devices was comparable to his ATM exploits. "My purpose [in hacking insulin pumps and other medical devices] was not to allow anyone to be harmed by this because it is not easy to reproduce. But hopefully it will promote some change in these companies and get some meaningful security in these devices," Jack told BBC last year. 

While the benefits of wireless networks are now impossible to ignore, as everything from cars to medical devices become hooked up to such networks, the potential for security problems rises. Jack worked to identify such threats so they could be addressed by manufacturers. While working at McAfee, Jack began experimenting with insulin pumps and discovered a way to hijack the device from up to 300 feet away, triggering potentially lethal insulin doses. Similar work by Jay Radcliffe eventually led to a Medtronic probe. A Reuters article explains that Barnaby's work with McAfee on insulin pump hacking led Medtronic to revamp how it develops products. 

Jack also blogged on the subject of medical device hacking. In one post, he considers the feasibility of an episode of the television series Homeland, whose plot involved a terrorist hacking a pacemaker belonging to the U.S. vice president. While several physicians were quoted stating that such an attack would be impossible, Jack said "[i]n my professional opinion, the episode was not too far off the mark." 

In that episode of Homeland, a terrorist determines the serial number of the vice president's pacemaker, which makes it possible for him to control it remotely, eventually programming it to electrocute the vice president.

Jack joked: "My first thought after watching this episode was 'TV is so ridiculous! You don't need a serial number!'" Later, he clarifies that the hack might indeed have been possible if the vice president had an implantable cardioverter defibrillator rather than a pacemaker. A pacemaker cannot deliver a high voltage electrical shock.

Jack was most recently employed by embedded device security firm at IOActive Inc. Following Jack's death, the company posted on its Twitter account the following: "Lost but never forgotten our beloved pirate, Barnaby Jack has passed." 

He indeed will not be forgotten, and hopefully his work will contribute to making medical devices more secure.  

Black Hat will not feature another speaker during the session that was planned for Jack on August 1. The hour will be dedicated to commemorate Jack's life.

Brian Buntz  is the editor-in-chief of MPMN and Qmed. Follow him on Twitter at @brian_buntz. 

WebRep

currentVote

noRating

noWeight