I was shocked and saddened when I learned that ethical hacker Barnaby Jack had passed away in San Francisco last week. The cause of Jack's death is so far undisclosed. He was on the agenda to make a presentation on security flaws of wireless implantable medical devices at the Black Hat conference in Las Vegas this week.
Jack was just 35 years old. Yet in his abbreviated time in this world, his career as a white hat hacker had a remarkable impact. His hacking demonstrations spotlighted the security vulnerabilities of machines ranging from ATMs (getting them to spit out lots of cash) to wireless heart defibrillators (getting them to deliver a potentially deadly shock).
Barnaby Jack's provocative demos initiated conversations about finding better ways to ensure security.
These demonstrations served an important purpose: They opened the eyes of consumers - as well as healthcare organizations, banks and technology manufacturers - to the shocking potential consequences of shoddy cybersecurity. Barnaby Jack's provocative demos initiated conversations about finding better ways to ensure security.
On a personal note, I had the pleasure of interviewing Jack last November. Not only was he extremely knowledgeable about the cybersecurity risks posed to medical devices, offering suggestions for mitigating those threats - he was very down-to-earth and eager to be helpful.
It took weeks to set up the interview, due, in large part, to Jack's international travel and packed schedule as director of embedded device security at services firm IOActive. When the day of our interview arrived, the sound coming from Jack's side of the call was uneven and, at times, very garbled. At my request, he tried troubleshooting the problem from his side, including changing his headset and microphone and us re-recording parts of the interview.
Unfortunately, despite the effort, the sound was ultimately too inaudible in too many spots of the interview. I wound up just writing a story about the discussion, rather than posting the audio file (see: How to Minimize Medical Device Risks). Although I was disappointed not to be able to post the audio file, I was impressed with Jack's graciousness, politeness and patience.
During the interview, Jack emphasized that while his demonstrations of medical device hacking were dramatic and the security risks real, patients should not discontinue using potentially life-saving products out of fear.
The benefits of using medical devices far outweigh the security risks, Jack stressed. "I don't think people should feel threatened individually," he says. "The last thing we want to do is for people to lose faith in these life-saving devices."
Instead, Jack wanted his demonstrations to lead to improved medical device security practices, especially by device vendors in the development cycle of their products.
The safety and security of medical devices, Jack said," is mostly a responsibility that lies with the device makers."
Now, even without Jack's grand showmanship nudging them along, medical device makers, ATM manufacturers and other technology companies need to continue ramping up their cybersecurity vigilance to better protect consumers. That would be the best of all tributes to Barnaby Jack.