SECURITY FIRM Malwarebytes has shown off an exploitable security vulnerability in the recently launched Leap Motion Controller gesture based PC peripheral.
Released in the UK late last month, the Leap Motion Controller allows people to control their computers with hand and finger movements, claiming to sense how you move your hands "the way you move them naturally". It retails for £70.
Demoing the attack in a Youtube video, Malwarebytes showed how the device can be exploited so that a Windows user account login can be unlocked with the flick of the wrist if they have installed an app named "Signwave Unlock Free".
"I played around with the Leap, I installed the airspace market and downloaded several apps, and had an absolute blast. There was one app that struck my curiosity, though not available for the Mac, called 'Signwave Unlock free' by Battelle," Malwarebytes researcher Jean Taggart said in a blog post.
The app is intended to supplement existing Windows password login screens to make unauthorised access more difficult. According to Batelle, it can be used to identify unique characteristics about your hand so it can later identify you as the true owner/user and unlock the system.
However, Malwarebytes showed in a video on Youtube how a Windows machine with the Leap Motion Controller and Signwave app installed can be unlocked by an open hand movement of anyone's hand over the keyboard.
"I am a little perturbed, since once it is installed and configured, this app effectively unlocks your computer. It doesn't supplement a biometric measure, or act as a companion to another existing security mechanism," Taggart added. "You hold your hand up over the Leap, and it just unlocks the computer. No password needed."
Malwarebytes proved in the video that the app unlocks the computer, irrespective of whose hand is being used.
Battelle responded to Malwarebytes' blog post, admitting that "false positives" that Malwarebytes experienced, "were possible", as it is posted in the experimental section of the Leap Motion Airspace app store.
"Signwave Unlock is using a new type of biometric authentication algorithm using data that is only possible to collect through the Leap Motion Controller," Battelle said. "Because there was limited data available prior to launch, we made Signwave Unlock available free of charge in order to increase the number of users and the biometric data points upon which its security algorithm depends."
"We truly appreciate our Signwave Unlock users help in improving the app by opting in to its anonymous data sharing program."
Leap Motion has yet to respond to our request for comment. For now, Leap Motion Controller users should probably steer clear of the Battelle app until the company has issued a patch. µ