Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

Barnaby Jack (1977-2013): Farewell to a Daring Wunderkind

The last time I saw Barnaby Jack, at the CanSecWest security conference in Vancouver, he was bleary-eyed at the hotel bar with a drink in his hand. It was not yet 10:30 a.m.

The last time I saw Barnaby Jack, at the CanSecWest security conference in Vancouver, he was bleary-eyed at the hotel bar with a drink in his hand. It was not yet 10:30 a.m.

The last detailed conversation I had with him, after his famous Black Hat “jackpotting” ATM talk in Las Vegas, he seriously scolded me for insisting on full technical details of the research, making it clear he would never act irresponsibly to suit anyone.

Barnaby Jack This is the Barnaby I remember, a man who partied so hard that you worried about his health and well-being. Yet, he was a shy, responsible security researcher who was so well respected that, at age 35, he was already a mentor to an entire generation of hackers.

Tales of Barnaby’s hijinks of alcohol, dirty words and epic global adventures (I’m told there’s an amusing story of a Russian Mafia kidnapping experience in Latvia) will emerge in the wake of his sudden death but don’t let those stories skew your impression of his value to the security community.

Tom Ptacek says it best:

“Many are famous for ‘stunt hacking’. Lede on #barnes will be ATMs & stuff. Let’s remember also that he that knew his s**t. The real deal.”

When a researcher dominates the news headlines with dramatic images of ATMs spitting out cash, it triggers a lot of jealousy and dismissive chatter about hype and media-whoring. With Barnaby, it was different because his peers appreciated all the quiet, behind-the-scenes work he did to make the computing world a better, safer place.

A quick glance at his resume shows stints at Foundstone, eEye, Juniper, McAfee and IOActive. He is perhaps best known today for hardware hacking — ATMs, Wi-Fi routers and medical implants — but Barnaby’s hacking talents date back to the 1990s.

Marc Maiffret, a peer from the good-old eEye days, explains:

Barnaby Jack

I first met former eEye Researcher Barnaby Jack almost 10 years ago when I was discovering some of the first remote Windows SYSTEM vulnerabilities in the late 90’s. In searching for like-minded individuals and someone with deep “win32 ASM” knowledge I ended up meeting Barns in a win32 software cracking channel and the rest is history and a lot of good times.


I was privileged to watch Barns grow within eEye Research from his early days of literally writing the book on Win32 exploitation to discovering some of the most critical Windows based software flaws to the point he eventually became bored with such research and moved into the land of hardware hacking.


He quickly made short work of hacking various consumer grade routing devices not by simply leveraging configuration issues, as others had done, but by remotely exploiting buffer overflow vulnerabilities on these devices as he would as simply against Windows.

He never liked being interviewed. I remember in 2006 when he published a remotely exploitable vulnerability in D-Link routers, he casually pointed me to the advisory and turned down the chance to make headlines for himself.

That’s not saying he wasn’t a showman. Showing up at Black Hat in 2010 with live demos of ATMs spitting out cash was beyond brilliant. In Abu Dhabi later that year, he went a step further.

Tiffany Rad, who was there, remembers:

Barnaby Jack in Abu DhabiThe hotel had heard about his ATM hack that he did on stage for Black Hat Abu Dhabi. Indeed, IOActive shipped the ATM to Abu Dhabi, but they didn’t send any money with which to load it. In the front row, a guy stands up and pulls out gigantic wad of thousands of American dollars from his robe, hands it to Barns and said, “load it up!” He did.


So the hotel manager knew about the ATM hacking presentation, and when Barns told the manager that he thought their gold bar-dispensing machine in the lobby may be vulnerable to the same hack, they were curious and said it was fine if he attempted a compromise. Barns asked me to be around just in case things went south.


I sat in the lobby and watched from afar as he unplugged the cable from the back of the gold machine and hooked it up to his computer. Then security arrived. A picture may exist that captured this moment 🙂 Apparently, the hotel manager thought he had the authority to grant permission for it to be hacked, but the Emirates Palace didn’t actually own the machine. Another company did and they were not happy.


In summary, representatives from American Embassy showed up. But the mistake was explained and all was good.”

That was Barnaby as his core. Curious, daring and always wanting to push the envelope.

As we mourn his sudden passing, I’ll let this Slashdot comment sum up his life:

“He was an interesting character. He helped me sneak a girl into a hacker party at the Peppermill one year during Defcon. No one that drank with him, even once, will ever forget him.

God had better keep an eye on him. If the pearly gates have any exploits, he’ll find them.”

With a beer in hand and a mischievous smile on his face.

Related: Famed Hacker Barnaby Jack Dies Days Before Black Hat Conference

Related: Barnaby Jack’s Black Hat Talk Will Not be Replaced

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.