Older iPhones have an unfixable security flaw – why it can’t be patched and the models affected


The notch on an iPhone XS Max

The notch at the top of an iPhone XS Max.

Image: Maria Diaz / ZDNET

Follow ZDNET: Add us as a preferred source on Google.


ZDNET’s key takeaways

  • A security flaw in certain iPhones leaves them vulnerable.
  • The flaw affects iPhones with an A12 or A13 processor.
  • The flaw is ROM-based, so Apple can’t patch it with a security update.

Do you still use an iPhone 11, XS, XR, or SE? If so, I have some bad news. Yep, another security flaw has been discovered, and Apple can’t fix this with one of its typical updates.

In a blog post published on Thursday, cybersecurity firm Paradigm Shift revealed a security vulnerability that it discovered and successfully exploited in older model iPhones with Apple’s A12 or A13 chip. Dubbed usbliter8, the flaw affects the boot ROM, aka SecureROM, code of an iPhone, which executes before the operating system loads. By exploiting usbliter8, an attacker could install their own malicious code or run unauthorized commands on a victimized iPhone.

Also: Apple confirms price increases are coming – how much will it cost you?

Because the flaw is in the device’s ROM, Apple can’t patch it via a software update. The only saving grace is that the flaw can’t be triggered remotely. An attacker would need physical access to your phone. They would also need enough time to restart your device and enough know-how to take advantage of the exploit.

Plus, the researchers at Paradigm Shift were unable to bypass Apple’s other security safeguards, such as Data Protection. As such, your files, photos, messages, and other user data are not affected by the flaw.

But that doesn’t mean there’s no cause for concern.

Which iPhone models are affected?

“BootROM vulnerabilities are relatively rare, and when they surface the physical access requirement tends to give organizations a false sense of comfort,” Shane Barney, chief information security officer of Keeper Security, told ZDNET. “The assumption is that if an attacker needs to physically hold the device, the risk is contained, and that assumption is worth examining carefully because it does not hold up in practice.

Also: How to download the iOS 27 developer beta (and which iPhone models support it)

“The organizations most exposed to this class of vulnerability are often the ones least likely to see it coming,” explained Barney. “Executives, government personnel, legal teams, and anyone carrying a device with access to privileged systems or sensitive data represents a viable target for a physically executed attack, and the opportunities for physical access are more common than most security programs account for.”

How can you tell if your device is affected?

Vulnerable iPhones released in 2018 or 2019 with an A12 or A13 processor include the following:

  • A12 Bionic: Phone XS, XS Max, XR
  • A13 Bionic: iPhone 11, 11 Pro, 11 Pro Max, iPhone SE (2nd generation)

Other Apple devices with either processor include:

  • A12 Bionic: iPad Air (3rd generation), iPad mini (5th generation), iPad (8th generation)
  • A13 Bionic: iPad (9th generation)

Certain Apple Watch models also are vulnerable, specifically those with an S4 or S5 processor. These include the Apple Watch Series 4, Series 5, and the SE (1st generation).

Also: Will your iPhone support Siri AI? The answer is complicated

Older iPhones and iPads with an A11 chip, newer phones with an A14 chip or later, and Apple Watches with an S6 chip or later aren’t vulnerable to this flaw. Macs with Apple silicon chips also are untouched. Still, that likely leaves a fair number of people who are still using affected devices.

“By releasing this exploit publicly, we hope to highlight the real-world impact of these hardware flaws and contribute to a broader understanding of modern SecureROM security,” Paradigm Shift said in its post. “While newer generations have addressed the underlying issue, affected A12 and A13 devices will carry it for the remainder of their lifetime.”

What should you do if you own one of the exploitable devices?

Keep in mind that a hacker would need physical access to your device to exploit the flaw. That means you should always keep your phone in sight so that no one else can grab without your knowledge or permission.

Otherwise, you could follow Paradigm Shift’s own advice and buy a new phone. In its post, the firm said that “affected users should be aware that migrating to newer hardware remains the most effective mitigation.”

Also: Best iPhone: I compared the top models and found the best options for you

If you’ve already been thinking of replacing your older iPhone or iPad with a newer one, this may be the time. You can either opt for one of the current iPhones, such as an iPhone 17 or iPhone Air, or wait until September when Apple is expected to release its new iPhone 18 lineup. Be aware, though, that you’ll likely have to shell out more money for the next generation as Apple has already revealed that it plans to raise prices.





Source link

Leave a Reply

Subscribe to Our Newsletter

Get our latest articles delivered straight to your inbox. No spam, we promise.

Recent Reviews


gettyimages-647882122

S847/iStock / Getty Images Plus

Follow ZDNET: Add us as a preferred source on Google.


ZDNET’s key takeaways

  • Staff who use AI can end up with more to do, not less.
  • Think carefully about the tools you’re using and why.
  • Adopt a set of standards and refine your outputs.

The promise of productivity boosts from AI can come with an unwelcome side order of stress. Harvard Business Review found that AI doesn’t reduce work; it intensifies it, leading to cognitive fatigue and unsustainable hours.

While the common perception is that AI can help reduce workloads, allowing employees to focus more on higher-value and more engaging tasks, HBR’s research found that staff using AI worked more quickly and often ended up with more to do, not less.

Also: Forget productivity: Here are 5 strategic shifts that drive real AI value

While we’ve written about how some professionals are finding ways to turn AI’s time-saving magic into a productivity superpower, we’ve also recognized that some employees have started to become tired with the low quality of AI outputs.

Ankur Anand, group CIO at tech recruiter Harvey Nash, said professionals who want to avoid cognitive fatigue must understand how to use AI effectively and its potential risks.

“That focus will help to reduce the noise around the workload that AI creates,” he told ZDNET, suggesting that many people have unrealistic expectations about the productivity boost that AI will provide.

Also: Why I ditched Copilot for Claude in Word, Excel, and PowerPoint – and how you can, too

“Many organizations are telling their people, ‘We want to understand how you’re making an impact with AI,'” he said. “But these professionals are not empowered, which means that using AI adds a lot of pressure, because they need to prove themselves on their own terms.”

If you’re going to make the most of AI at work, then you’re going to have to find an effective balance between completing tasks quickly and producing high-quality work. 

Here’s how the experts believe professionals can ensure they reap the benefits, not the problems, of AI — and they suggest that you’ll need to focus on three core areas: tools, guidelines, and outputs.

Limit your toolset

Alex Read, senior enterprise product manager for data at energy provider EDF UK, told ZDNET that the best way for professionals to reap the benefits, not the challenges, of AI is to be uber-focused on tools that help you produce value in your roles.

While there are thousands of potential AI-enabled services on the market, Read said sensible professionals limit their horizons.

Also: How this travel company’s AI rollout drove a 73% satisfaction boost: A 5-step playbook for your business

In his own role, for example, Read focuses on how AI can help him build a data platform and update information accurately, efficiently, and productively: “Anything outside of that scope is noise for me.”

That sentiment resonated with Nick Pearson, CIO at technology specialist Ricoh Europe, who told ZDNET it’s important to take a step back and think carefully about how an AI tool can help you produce value in your role.

“If you think about the phrase ‘gen AI,’ the tech is very good, by definition, at generating outputs,” he said. “I could go to bed in the evening, set the model to work, and we could have four new IT strategies produced overnight.”

Also: Worried AI agents will replace you? 5 ways you can turn anxiety into action at work

However, quantity doesn’t necessarily mean quality. Pearson suggested it’s important to focus on AI’s blind spots, particularly as most models are trained on preexisting content.

“AI can’t inspire people, per se; it can’t naturally create something new, because it’s actually quite recursive,” he said.

“And the judgment you have to put in sometimes, on top of everything else, whether it be an ethical or a capability judgment, is not there automatically in the technology.”

It’s in this gap, said Pearson, that human experts play a critical role: “We’re toying with that concern as an organization and saying, ‘Where does AI really play an important role, versus where are we upskilling people in areas that AI probably won’t play for a long time?'”

Work to the guidelines

HBR’s research found that an initial productivity surge when AI is adopted can lead to lower-quality work, turnover, and other problems as people work harder rather than smarter.

To correct this issue, HBR said companies need to adopt an “AI practice,” or a set of norms and standards around AI use that help professionals ensure they use AI in a constrained but productive manner.

Also: 90% of AI projects fail – here are 3 ways to ensure yours doesn’t

At EDF UK, Read is part of an internal AI Center of Excellence in enterprise IT, which enables policy for the effective use of AI across the wider organization. 

In addition to Read, who contributes input from a data-use perspective, the group includes other tech representatives, such as the firm’s senior manager of AI, principal software engineer, and principal solution architect.

“The remit of this center is to make sure that, when the federated business units are looking to build, develop, and deploy AI services, they have platforms, guidance, best practices, architectural assets, and materials to guide them on how to safely and efficiently adopt AI and operationalize it at scale,” he said.

Some of the key themes the center considers when assessing AI tools are scalability and reusability, ensuring a proposed service doesn’t replicate one already in use.

Also: 5 ways to use AI when your budget is tight

“All new tools and services related to AI will go through that hopper and funnel to understand scope and ensure the security, regulatory, and ethical side of things are understood,” he said, suggesting that all professionals should use their organization’s pre-existing guidelines to foster an appropriate exploitation of emerging tech.

“The benefit that guided approach brings is that it allows us to be clear in our messaging around what AI services can be used, how they’re used from a use-case perspective, and ultimately, what personas are allowed to use them.”

Refine your outputs

Even when tools are assessed and considered acceptable, there can still be an overreliance on AI outputs. Worse, some professionals can drown in the insights they receive, leading to higher stress and fewer benefits.

Louise Newbury-Smith, head of UK&I at technology specialist Zoom, told ZDNET that one way to ensure your outputs are constrained is to focus on prompting.

“Use simple amendments to be specific, such as ‘Give me the top three things with the biggest impact.’ That approach should guide your prompt, rather than saying, ‘Give me everything you know about this topic.'”

Also: 5 ways to fortify your network against the new speed of AI attacks

Newbury-Smith said the successful use of AI is all about being smart about how it’s exploited, and that effectiveness comes down to enablement and engagement. If a prompt yields too much information, refine it until you get what you need. She said this should still be faster than trying to get answers without AI.

The basic message for professionals is that effective applications of AI are all about you staying in the loop, said Bernhard Seiser, vice president of digital, data, and IT at AOP Health.

Think before you use AI, and think again before you push your outputs around the organization.

“It doesn’t help the business if you get AI-generated emails that are many pages long, and then you need ChatGPT to summarize the text,” he told ZDNET.

Seiser said that while there are certain tasks generative AI is good at and worth using for, in the end, “you need to use your brain.”





Source link