Biometric password app easily bypassed, claims Malwarebytes
Technology that claims to use ‘unique characteristics’ of hands is not secure, says researcher.
A pair of security researchers at Malwarebytes claim to have bypassed a biometric security system for gesture-based device Leap Motion.
Jean Taggart, a researcher the firm Malwarebytes, claims to have broken through this recognition security measure easily. His colleague Jerome Segura has also posted a video online, in which he claims to have unlocked the device in under one minute.
In a blog post, documenting what he termed a "biometrics failure", Taggart said: "I played around with the Leap, I installed the airspace market and downloaded several apps, and had an absolute blast."
However, Taggart said there was a particular app that caught his eye Signwave Unlock free by Battelle which claims to identify the unique characteristics of a user's hand and use them to lock or unlock the system only for the true owner.
However, Taggart pointed out that Battelle's disclaimer says the app is not intended to replace existing security measures and that there is a possibility of false positives.
"I am a little perturbed, since once it is installed and configured, this app effectively unlocks your computer. It doesn't supplement a biometric measure, or act as a companion to another existing security mechanism," said Taggart.
"That would be awesome if your hand was the only one that worked, but it unlocks the computer with ANY hand held over it. I asked my co-worker to come and test the new cool security biometric thingy on my desk ... [and] he calmly walked over, and promptly unlocked my test system," he added.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
A Battelle spokeswoman told IT Pro: "SignWave Unlock is using a new type of biometric authentication algorithm using data that is only possible to collect through the Leap Motion controller.
"The app is free of charge in order to increase the number of users and the biometric data points upon which its security algorithm depends. The more data, the better the app. We truly appreciate our Signwave Unlock users who are helping to improve the app by opting in to its anonymous data sharing program."
Jane McCallion is ITPro's Managing Editor, specializing in data centers and enterprise IT infrastructure. Before becoming Managing Editor, she held the role of Deputy Editor and, prior to that, Features Editor, managing a pool of freelance and internal writers, while continuing to specialize in enterprise IT infrastructure, and business strategy.
Prior to joining ITPro, Jane was a freelance business journalist writing as both Jane McCallion and Jane Bordenave for titles such as European CEO, World Finance, and Business Excellence Magazine.