Hats off

EVERY summer Las Vegas plays host to Black Hat, a security shindig where spooks, businesspeople and academics rub shoulders with some of the world’s most talented hackers. The event briefly overlaps with DEFCON, a more informal affair where hackers try to impress one another with their exploits. Both events offer a mix of partying and presentations with disconcerting titles such as “Stalking a City for Fun and Frivolity”, “Home Invasion 2.0” and “Dude, WTF in my car?”

But one of hackerdom’s stars did not make it to this year’s jamborees. On July 25th Barnaby Jack was found dead in San Francisco, where he lived. He was only 35. An extremely popular “white hat”—a hacker who specialises in finding security flaws before nefarious “black hats” discover them—he had been due to give a presentation entitled “Implantable Medical Devices: Hacking Humans”.

Mr Jack had said previously that he had found a flaw in medical devices, such as heart pacemakers and defibrillators, made by an unnamed manufacturer, which could allow an outsider to communicate with them wirelessly. He was planning to show how this could be exploited to make the device malfunction or shut down, using a signal sent from up to 30 feet (9 metres) away. In a blog post earlier this year, he noted that an episode of “Homeland”, a popular American television show, in which a terrorist kills one of the characters by gaining control of his pacemaker, was not as far-fetched as it may have seemed.

The San Francisco police have ruled out foul play, but local medical authorities say it could be some time before the cause of death is established. What is clear is Mr Jack’s immense contribution in the field of “embedded” computers, which work inside other single-purpose appliances. Among his other headline-grabbing feats, he showed how some ATMs could be hacked so that they spewed out banknotes—an exploit dubbed “Jackpotting”. He had also highlighted vulnerabilities in insulin pumps, similar to the flaws in other implanted devices that he was planning to expose this year. In all these cases he shared his findings with the manufacturers before publicising them.

Even so, some worry that by trumpeting their findings at events such as Black Hat and DEFCON, white hats give clues which their shady counterparts could exploit in crime, terrorism or espionage. But the hackers’ defenders say the publicity alerts regulators, and ensures that as many companies as possible learn of the risks quickly. They also point out that the presentations typically leave out important steps so others cannot reproduce hacks. Nico Sell, who has been helping organise DEFCON for over a decade, notes, for example, that Mr Jack agreed to delay presenting his Jackpotting findings for a year, when a manufacturer of ATMs said it needed longer to deal with the bug that he had uncovered.