Updated August 14 with new data from Battelle and Leap Motion
Innovative gesture-control gadget Leap Motion, which just released to the public three weeks ago and has already seen more than a million app downloads, might have to check some of those programs a little more carefully.
Security researchers at Malwarebytes have already discovered how to circumvent at least one of them.
“I wasn’t even trying to hack it,” Malwarebytes researcher Jean Taggart told me. “I was just showing a coworker. He walked up, put his hand over my keyboard, and logged into my computer.”
The app in question is Battelle SignWave, a free app on Leap Motion’s Airspace app store that enables you to log into your computer with just your hand. Unfortunately, it appears, our hands may not be as unique as we think. Or SignWave may not be as good at distinguishing different people’s hands as Battelle thinks it is.
Leap Motion is an innovative keyboard-free computer controller about the size of a pack of gum. It senses the movement of your hands and fingers, enabling you to control your computer with midair gestures. Leap Motion is 200 times more accurate than Microsoft’s Kinect, sensing even 1/100th of a millimeter motions of all 10 fingers at 290 frames per second.
Here’s how SignWave Unlock is supposed to work, from the Battelle website:
SignWave Unlock uses this capability to identify the unique characteristics of your hand to build a profile (aka biometric signature) that allows the computer to identify you and quickly and securely access your computer by simply placing your hand over the Leap Motion device.
As you can see, however, simply by spreading his fingers, the second security researcher spoofs the system, convincing SignWave that he is the rightful owner of the computer and unlocking the system for full use.
“The app is in the experimental section, but it’s not extra security over and above your password,” Taggart says. “If you install it, it allows you right into Windows.”
This is how SignWave is supposed to work, by “quickly, easily, and securely” access your PC:
When I contacted Leap Motion about the app, VP of product marketing Michael Zagorsek pointed out that the app details state that SignWave Unlock “is not intended to replace your existing security measures.” The app description also says that it is designed to supplement your password, fingerprint reader, iris scanner, or facial recognition security features and that there is a “possibility of a false positive.”
That language, of course, is somewhat at odds with the “quickly, easily, and securely” in the product videos. And it’s much different than the language on Battelle’s website, which stresses the app’s ease and simplicity — and not having to use a password:
Looking for a faster, easier way to sign in to your computer? Want more security without a complicated logon?
Battelle SignWave Unlock is your answer.
SignWave Unlock software uses 3D data and gesture-based authentication to identify users and allow touch-free access to computer systems, without having to type in a password. Just the wave of your hand lets you logon to your computer.
I have contacted Battelle about the security issue and received this update:
As stated in the app description on the Airspace store, false positives such as you’ve experienced are possible. SignWave Unlock is using a new type of biometric algorithm using data that is only possible to collect with the Leap Motion Controller.
That is why the app is free of charge in order to increase the number of users and the biometric points upon which its security algorithms depends. The more data, the better the app. We truly appreciate our SignWave Unlock users who are helping to improve the app by opting in to its anonymous data sharing program.
I also chatted to Leap Motion representatives today, who expressed some concern about the variance between the description of Unlock on Airspace, and the description on Battelle’s website, saying that they are working with Battelle to resolve those differences — and add a note to its demo video that it is not intended for high security situations right now.
Apparently, a new version is coming soon with much better security.
“We do have approval policies that apps must adhere to and would remove any app that was in violation of those,” Leap Motion’s Zagorsek said via e-mail.