Security Experts:

Connect with us

Hi, what are you looking for?


Management & Strategy

Barnaby Jack (1977-2013): Farewell to a Daring Wunderkind

The last time I saw Barnaby Jack, at the CanSecWest security conference in Vancouver, he was bleary-eyed at the hotel bar with a drink in his hand. It was not yet 10:30 a.m.

The last time I saw Barnaby Jack, at the CanSecWest security conference in Vancouver, he was bleary-eyed at the hotel bar with a drink in his hand. It was not yet 10:30 a.m.

The last detailed conversation I had with him, after his famous Black Hat “jackpotting” ATM talk in Las Vegas, he seriously scolded me for insisting on full technical details of the research, making it clear he would never act irresponsibly to suit anyone.

Barnaby Jack This is the Barnaby I remember, a man who partied so hard that you worried about his health and well-being. Yet, he was a shy, responsible security researcher who was so well respected that, at age 35, he was already a mentor to an entire generation of hackers.

Tales of Barnaby’s hijinks of alcohol, dirty words and epic global adventures (I’m told there’s an amusing story of a Russian Mafia kidnapping experience in Latvia) will emerge in the wake of his sudden death but don’t let those stories skew your impression of his value to the security community.

Tom Ptacek says it best:

“Many are famous for ‘stunt hacking’. Lede on #barnes will be ATMs & stuff. Let’s remember also that he that knew his s**t. The real deal.”

When a researcher dominates the news headlines with dramatic images of ATMs spitting out cash, it triggers a lot of jealousy and dismissive chatter about hype and media-whoring. With Barnaby, it was different because his peers appreciated all the quiet, behind-the-scenes work he did to make the computing world a better, safer place.

A quick glance at his resume shows stints at Foundstone, eEye, Juniper, McAfee and IOActive. He is perhaps best known today for hardware hacking — ATMs, Wi-Fi routers and medical implants — but Barnaby’s hacking talents date back to the 1990s.

Marc Maiffret, a peer from the good-old eEye days, explains:

Barnaby Jack

I first met former eEye Researcher Barnaby Jack almost 10 years ago when I was discovering some of the first remote Windows SYSTEM vulnerabilities in the late 90’s. In searching for like-minded individuals and someone with deep “win32 ASM” knowledge I ended up meeting Barns in a win32 software cracking channel and the rest is history and a lot of good times.

I was privileged to watch Barns grow within eEye Research from his early days of literally writing the book on Win32 exploitation to discovering some of the most critical Windows based software flaws to the point he eventually became bored with such research and moved into the land of hardware hacking.

He quickly made short work of hacking various consumer grade routing devices not by simply leveraging configuration issues, as others had done, but by remotely exploiting buffer overflow vulnerabilities on these devices as he would as simply against Windows.

He never liked being interviewed. I remember in 2006 when he published a remotely exploitable vulnerability in D-Link routers, he casually pointed me to the advisory and turned down the chance to make headlines for himself.

That’s not saying he wasn’t a showman. Showing up at Black Hat in 2010 with live demos of ATMs spitting out cash was beyond brilliant. In Abu Dhabi later that year, he went a step further.

Tiffany Rad, who was there, remembers:

Barnaby Jack in Abu DhabiThe hotel had heard about his ATM hack that he did on stage for Black Hat Abu Dhabi. Indeed, IOActive shipped the ATM to Abu Dhabi, but they didn’t send any money with which to load it. In the front row, a guy stands up and pulls out gigantic wad of thousands of American dollars from his robe, hands it to Barns and said, “load it up!” He did.

So the hotel manager knew about the ATM hacking presentation, and when Barns told the manager that he thought their gold bar-dispensing machine in the lobby may be vulnerable to the same hack, they were curious and said it was fine if he attempted a compromise. Barns asked me to be around just in case things went south.

I sat in the lobby and watched from afar as he unplugged the cable from the back of the gold machine and hooked it up to his computer. Then security arrived. A picture may exist that captured this moment 🙂 Apparently, the hotel manager thought he had the authority to grant permission for it to be hacked, but the Emirates Palace didn’t actually own the machine. Another company did and they were not happy.

In summary, representatives from American Embassy showed up. But the mistake was explained and all was good.”

That was Barnaby as his core. Curious, daring and always wanting to push the envelope.

As we mourn his sudden passing, I’ll let this Slashdot comment sum up his life:

“He was an interesting character. He helped me sneak a girl into a hacker party at the Peppermill one year during Defcon. No one that drank with him, even once, will ever forget him.

God had better keep an eye on him. If the pearly gates have any exploits, he’ll find them.”

With a beer in hand and a mischievous smile on his face.

Related: Famed Hacker Barnaby Jack Dies Days Before Black Hat Conference

Related: Barnaby Jack’s Black Hat Talk Will Not be Replaced

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Twenty-one cybersecurity-related M&A deals were announced in December 2022.