Researchers say a security flaw embedded deep within certain Apple chips cannot be patched, leaving
Millions of people using older iPhones could be exposed to a newly disclosed security flaw that researchers say Apple is unlikely to ever fix.
The vulnerability, uncovered by independent European cybersecurity firm Paradigm Shift, affects devices powered by Apple’s A12 and A13 chips. Researchers revealed their findings on June 18, describing an exploit they call usbliter8 that targets low level software embedded directly into the chips.
Because the flaw exists in SecureROM, the first code executed when an iPhone powers on, experts say it cannot be patched through a traditional software update. The code is permanently written into the chip during manufacturing, making it impossible for Apple to replace or rewrite after devices have been sold.
The discovery has raised concerns about the long-term security of several older Apple products that remain widely used.
How the flaw works
According to Paradigm Shift, the exploit takes advantage of weaknesses in the USB controller and device firmware to gain control of a device during the startup process.
Researchers demonstrated that attackers with physical access to a phone could override the normal boot sequence before iOS loads and potentially run unauthorized software.
The flaw does not allow someone to remotely hack a device over the internet. Instead, an attacker would need to physically connect to the phone or have direct possession of it to exploit the vulnerability.
Still, security researchers warn that the exploit could create additional attack paths. One of the biggest concerns is the possibility of compromising Apple’s Secure Enclave Processor, the dedicated chip responsible for storing sensitive information such as encrypted data, biometric information and passcodes. Paradigm Shift notified Apple before publicly releasing its research.
The 7 iPhone models affected
The vulnerability impacts seven iPhone models that use the A12 or A13 chips.
iPhone 11
iPhone 11 Pro
iPhone 11 Pro Max
Second generation iPhone SE
iPhone XR
iPhone XS
iPhone XS Max
These devices were introduced between 2018 and 2020 and remain popular among users who have held onto older hardware or purchased refurbished models.
Because the vulnerability is embedded in the chips themselves, owners of these devices cannot expect a complete fix through future versions of iOS.
Other Apple devices are also affected
The security issue extends beyond iPhones.
Researchers say devices powered by Apple’s S4 and S5 chips are also vulnerable. That includes several iPads and Apple Watch models.
Affected tablets include the eighth and ninth generation iPad, the third generation iPad Air, the fifth generation iPad Mini, the first- and second generation 11 inch iPad Pro and the third and fourth generation 12.9 inch iPad Pro.
The first generation Apple Watch SE, along with Apple Watch Series 4 and Series 5, are also impacted.
Technical support for Apple’s A12X and A12Z chips is possible but has not yet been implemented. Those processors are found in select 2018 and 2019 iPad Pro models, meaning additional devices could eventually be added to the list.
Why upgrading may be the safest option
Security flaws are typically addressed through software patches that close vulnerabilities after they are discovered. In this case, experts say the nature of SecureROM makes that impossible.
Because the vulnerable code is permanently embedded into the hardware, the only guaranteed way to avoid the issue is to move to a newer device with a different chip architecture.
Upgrading to newer hardware remains the most effective form of protection for affected users.
For people who continue using older devices, experts recommend maintaining strong passcodes, limiting physical access to their phones and staying current with all available software updates, even though those updates cannot eliminate this particular vulnerability.
The findings serve as a reminder that even devices known for strong security protections can eventually face limitations tied to aging hardware. As smartphones remain in use for longer periods, vulnerabilities that cannot be fixed through software may become an increasingly important consideration for consumers deciding when to upgrade.