OFFICIAL SECURITY BLOG

Lock – Unlock, Biometrics Failure

August 13, 2013 | BY

I like gadgets, no, scratch that, I LOVE gadgets.

With this in mind, I very often find myself an early adopter of technology. If there is a shiny new technological gadget on the horizon, I’m probably lusting over it.

And so, I recently received my “Leap Motion” controller. I had pre-ordered it as soon as I heard about it and was eagerly awaiting its arrival.

It is a very cool device, but I must admit that deep down I was expecting this:

Minority report UI

Screenshot from Minority Report

And mostly wound up doing this:

cut the rope

Cut The Rope game for Leap Motion

While there is nothing wrong with playing “Cut The Rope”, if you want to get the snazzy sci-fi interface of Minority Report, you would have to redesign any operating systems with the Leap as the primary input mechanism from the ground up. I understood this, and I still think that this device deserves to be on my desk.

I played around with the Leap, I installed the airspace market and downloaded several apps, and had an absolute blast.

There was one app that struck my curiosity, though not available for the Mac, called “Signwave Unlock free” by Battelle.

Its intended use is to identify unique characteristics about your hand so it can later identify you as the true owner/user and unlock the system.

Here is a video showing the process.

Not one to be easily defeated, I installed the Leap on a Windows 7 system in our lab, rebooted, signed in the market place, pulled down the Unlock app, installed it, rebooted again, and went through the setup process for the Unlock app. After waving my hand over the Leap in a few calibration pages, I was set.

I then proceeded to unlock my computer, by waving my hand over my desk. I wanted to film a short clip of this, but it was a little anti-climactic, as it pretty much does just that.

At this point I feel compelled to show you the disclaimer that was shown on the bottom of the app page.

Screen Shot 2013-08-12 at 3.32.55 PM

Battelle’s disclaimer.

I am a little perturbed, since once it is installed and configured, this app effectively unlocks your computer. It doesn’t supplement a biometric measure, or act as a companion to another existing security mechanism. You hold your hand up over the Leap, and it just unlocks the computer. No password needed.

That would be awesome if your hand was the only one that worked, but it unlocks the computer with ANY hand held over it. I asked my co-worker to come and test the new cool security biometric thingy on my desk, ready to emit a triumphant “HA! SEE? IT’S NOT JUST A TOY!” only to be severely crestfallen when he calmly walked over, and promptly unlocked my test system.

We tried this multiple times, and he succeeded in unlocking my workstation. Every. Single. time.

For reference, here is a picture of my hand, and my colleague’s hand.  They look different enough.

rsz_1rsz_img_1199

The fact that this program is free, and that the category is “experimental” may also contribute to my being a little more forgiving.

Leap is going out on a limb by having their own app market, and I understand their desire to have as many applications available in their ecosystem for the initial release of the product. This may have influenced the level of scrutiny applied to said apps. I contacted Battelle and inquired about the availability of a Mac version. It should be released in version 2.1 by the end of August. I plan on testing it.

As I use a “pass phrase” and an annoyingly long one at that. I have to type it about 100 times a day. I really want this Leap app to work.

In the interim, I cannot really recommend using this. Chopping fruit, flying around GoogleEarth, and feeding little monsters candy is really fun.

Securing your workstation with this app? Not so much.

Update: Batelle responded, with this:

“Indeed, as stated in the app description in the Airspace store, false positives such as you’ve experienced are possible.  SignWave Unlock is using a new type of biometric authentication algorithm using data that is only possible to collect through the Leap Motion controller.  Because there was limited data available prior to launch, we made SignWave Unlock available free of charge in order to increase the number of users and the biometric data points upon which its security algorithm depends.  We truly appreciate our Signwave Unlock users help in improving the app by opting in to its anonymous data sharing program.”

I appreciate Battelle’s prompt response and their commitment to improving the product.