Leap Motion Security App Hacked

The new and innovative gesture control gadget, Leap Motion, which has just been released to the public three weeks ago, has already had more than a million app downloads, may have to check some of those programs security levels.
A security team at Malwarebytes have already discovered how to bypass at least one of them. Jean Taggart, Malwarebytes researcher said: “I wasn’t even trying to hack it…I was just showing a coworker. He walked up, put his hand over my keyboard, and logged into my computer.” The application in question is Battelle SignWave, which is a free app on the Leap Motion’s Airspace app store, which enables you to log into your computer with hand gestures. Unfortunately, it appears, SignWave may not be as clever in distinguishing different users hands as Battelle thinks it is.


Leap Motion is an innovative keyboard-free computer controller about the size of a pack of chewing gum. It works by sensing the movement of your hands and fingers, enabling you to control your computer with gestures in the air. Leap Motion has been described as being 200 times more accurate than Microsoft’s Kinect, sensing even 1/100th of a millimetre motions of all 10 fingers at a speed of 290 frames per second.

The Battelle website informs us that SignWave Unlock uses this capability to identify the unique characteristics of your hand to build a profile (aka biometric signature) that allows the computer to identify you and quickly and securely access your computer by simply placing your hand over the Leap Motion device.

In the case of Taggart and colleague, they fooled the system by spreading his fingers and convincing SignWave that he is the rightful owner of the computer and unlocking the system for full use. “The app is in the experimental section, but it is not extra security over and above your password,” Taggart says. “If you install it, it allows you right into Windows.”

This is how SignWave is supposed to work by “quickly, easily, and securely” access your PC. However, VP of product marketing Michael Zagorsek pointed out that the app details state that SignWave Unlock “is not intended to replace your existing security measures.” The app description also says that it is designed to supplement your password, fingerprint reader, iris scanner, or facial recognition security features and that there is a “possibility of a false positive.” That differs from the description on Battelle’s website, which emphases the app’s ease and simplicity of use and not having to use a password: “Looking for a faster, easier way to sign in to your computer? Want more security without a complicated logon? Battelle SignWave Unlock is your answer. SignWave Unlock software uses 3D data and gesture-based authentication to identify users and allow touch-free access to computer systems, without having to type in a password. Just the wave of your hand lets you logon to your computer.”
If a security researcher wasn’t trying to hack it, but did, what if somebody decided to make it their mission to hack it?