Is the iPhone 5S finger print sensor TouchID secure => No? - Ist die Technik des iPhone 5s Fingerabdrucksensors sicher?

TouchID facts:
- Sensor (capacitive, 500 ppi, orientationless, 170 microns thin)
- TouchID was developped by AuthenTec that was bought by Apple
- the fingerprints are stored locally by the os (inside A7 processor)
- the stored data is encrypted
- unlock the screen by 4 digit code or fingerprint, because both ways are possible, you don't gain security
- it's not a fingerpint picture that gets stored, the device calculates a signature (or pattern) out of it, because this can be better stored and compared.
- a second source (2) tells, that instead of a pattern only a hash will be stored in the device. This sounds strange. The same finger will for sure be captured always slightly different. Then attributes of the captured fingerprint are taken to create a pattern. The pattern could then be hashed. Hash algorithm are collission resistent one way functions. A hash can not be reverted to original data (the pattern). So the only way to be accepted would be to create 2 100% identical hashes. This sounds impossible! Biometrics works by pattern matching and not by hash comparisation. Maybe the author of the referenced article missunderstood the system!
- by long pressing the button, Siri is activated and can be asked for phone numbers or appointments!!

- NSA has access to sensible data of iOS devices (If they need your data, they most probably get it, even it is not stored in a cloud)
- fingerprints are biometrics that can be easily fooled
- the safety you get is not worth giving biometric data like your fingerprint
- fingerprints can be stolen (copied) without your notice (from a glass, while you sleep), they are not a secret

Pattern matching:
Pattern matching is how all biometric devices work. Pictures can not be compared other ways.
Pattern matching is like counting similiar values from 2 lists, and if enough (ex. 70%) are similiar, patterns are supposed to be equal!)


open questions:
- is the living check accurate (pulse, temperature, glove with artificial fingerprint)?
   - The only statement found regarding this questions so far is:

” The RF capacitive sensor technology is built in a way that the fingerprint image has to be taken from a live finger.” (1)

- also unknown: False Acceptance Rate, False Rejection Rate of TouchID

    - 1:200 false rejection rate; >> 1:200 false acceptance rate (limited number of offenders) (2). This is good but not fantastic
- who is the manufacturer of the TouchID sensor?
- does the A7 processor have a real cryptographic storage

update 22.9.13:
ccc was able to unlock a Iphone 5S by using a photographed fingerprint (3):
"Künstlicher Finger aus Latexmilch
Um den Sensor des iPhone 5S zu überlisten, genügen ein Foto des Fingerabdrucks, das mit 2.400 dpi aufgenommen wurde, und ein Laserdrucker, der mit 1.200 dpi auf transparente Folie druckt. Auf die Folie wird dann hautfarbene Latexmilch oder weißer Holzleim aufgetragen. Nach der Trocknung ist der Fingerabdruck in gefälschter Form fertig und muss für die Benutzung nur noch durch Anhauchen angefeuchtet werden."

Conclusion: This opens a simpler way to unlock your phone than guessing your password!


Sources:
http://www.heise.de/security/meldung/Datenschuetzer-warnt-vor-Fingerabdruck-Sensor-des-iPhone-5S-1956725.html
http://www.digitaltrends.com/mobile/can-apple-hand-over-your-fingerprint-to-the-nsa/
http://inotes4you.com/2013/09/12/fingerprint-technology/comment-page-1/#comment-3202
http://mashable.com/2013/09/15/severed-finger-iphone-5s/?utm_cid=mash-com-fb-main-link (1)
http://www.faz.net/aktuell/technik-motor/computer-internet/apple-iphone-5s-im-test-der-finger-soll-in-die-zukunft-zeigen-12578153.html (2)
http://www.golem.de/news/iphone-5s-chaos-computer-club-ueberwindet-apples-touch-id-1309-101735.html (3)