Medical device hacking expert dies before releasing pacemaker exploit

Cybersecurity expert and avid medical device hacker Barnaby Jack died this week, just days before he was slated to present his latest research into hacking implantable cardiac devices.

Jack had made a name for himself in the hacking and security community with high-profile exploits, such as in his 2010 presentation that exposed a vulnerability that made ATM machines spew free cash. He’d also made himself known in medical device circles thanks to his work demonstrating long-range hacks into insulin pumps.

Next week at the Las Vegas Black Hat conference, one of the biggest (and priciest) security conferences out there, Jack was slated to give a presentation titled "Implantable Medical Devices: Hacking Humans."

"Barnaby will discuss how these devices operate and communicate and the security shortcomings of the current protocols," according to a presentation summary by IOActive, where Jack was director of embedded security research. "IOActive’s internal research software will be revealed that utilizes a common bedside transmitter to scan for, and interrogate individual medical implants."

Jack was also slated to offer some guidance for medical device makers on how to boost security in networked technologies.

Black Hat organizers have opted not to replace Jack’s presentation, according to a conference statement.

"No one could possibly replace him, nor would we want them to. The community needs time to process this loss," organizers said.

Jack made headlines last year when he demonstrated that he could hack a common insulin pump from 300 feet away, using little more than a laptop and a custom-made antennae. Jack’s software broke through the insulin pump’s security and altered its program to dump its contents, injected a potentially lethal dose of the hormone into a dummy pancreas used for demonstration purposes.

Earlier this year Jack wrote an in-depth blog post about cardiac implant cybersecurity after he watched an episode of the television drama Homeland in which a terrorist remotely hacked a politician’s pacemaker. Although some dismissed the plot device as mere Hollywood fantasy, Jack’s sense was that "the episode was not too far off the mark."

"At IOActive, I’ve been spending the majority of my time researching RF-based implants," Jack wrote in a February blog for IOActive. "We have created software for research purposes that will wirelessly scan for new model ICDs and pacemakers without the need for a serial or model number. The software then allows one to rewrite the firmware on the devices, modify settings and parameters, and in the case of ICDs, deliver high-voltage shocks remotely."

Jack added that the purpose of the research wasn’t to alarm patients or discourage them from getting life-saving implants for fear of potential hackers, but to help improve the technology by working with the manufacturers to make them safer.

"Although the threat of a malicious attack to anyone with an implantable device is slim, we want to mitigate these risks no matter how minor," Jack wrote. "We are actively engaging medical device manufacturers and sharing our knowledge with them."