Older iPhones have an unfixable security flaw – why it can’t be patched and the models affected


The notch on an iPhone XS Max

The notch at the top of an iPhone XS Max.

Image: Maria Diaz / ZDNET

Follow ZDNET: Add us as a preferred source on Google.


ZDNET’s key takeaways

  • A security flaw in certain iPhones leaves them vulnerable.
  • The flaw affects iPhones with an A12 or A13 processor.
  • The flaw is ROM-based, so Apple can’t patch it with a security update.

Do you still use an iPhone 11, XS, XR, or SE? If so, I have some bad news. Yep, another security flaw has been discovered, and Apple can’t fix this with one of its typical updates.

In a blog post published on Thursday, cybersecurity firm Paradigm Shift revealed a security vulnerability that it discovered and successfully exploited in older model iPhones with Apple’s A12 or A13 chip. Dubbed usbliter8, the flaw affects the boot ROM, aka SecureROM, code of an iPhone, which executes before the operating system loads. By exploiting usbliter8, an attacker could install their own malicious code or run unauthorized commands on a victimized iPhone.

Also: Apple confirms price increases are coming – how much will it cost you?

Because the flaw is in the device’s ROM, Apple can’t patch it via a software update. The only saving grace is that the flaw can’t be triggered remotely. An attacker would need physical access to your phone. They would also need enough time to restart your device and enough know-how to take advantage of the exploit.

Plus, the researchers at Paradigm Shift were unable to bypass Apple’s other security safeguards, such as Data Protection. As such, your files, photos, messages, and other user data are not affected by the flaw.

But that doesn’t mean there’s no cause for concern.

Which iPhone models are affected?

“BootROM vulnerabilities are relatively rare, and when they surface the physical access requirement tends to give organizations a false sense of comfort,” Shane Barney, chief information security officer of Keeper Security, told ZDNET. “The assumption is that if an attacker needs to physically hold the device, the risk is contained, and that assumption is worth examining carefully because it does not hold up in practice.

Also: How to download the iOS 27 developer beta (and which iPhone models support it)

“The organizations most exposed to this class of vulnerability are often the ones least likely to see it coming,” explained Barney. “Executives, government personnel, legal teams, and anyone carrying a device with access to privileged systems or sensitive data represents a viable target for a physically executed attack, and the opportunities for physical access are more common than most security programs account for.”

How can you tell if your device is affected?

Vulnerable iPhones released in 2018 or 2019 with an A12 or A13 processor include the following:

  • A12 Bionic: Phone XS, XS Max, XR
  • A13 Bionic: iPhone 11, 11 Pro, 11 Pro Max, iPhone SE (2nd generation)

Other Apple devices with either processor include:

  • A12 Bionic: iPad Air (3rd generation), iPad mini (5th generation), iPad (8th generation)
  • A13 Bionic: iPad (9th generation)

Certain Apple Watch models also are vulnerable, specifically those with an S4 or S5 processor. These include the Apple Watch Series 4, Series 5, and the SE (1st generation).

Also: Will your iPhone support Siri AI? The answer is complicated

Older iPhones and iPads with an A11 chip, newer phones with an A14 chip or later, and Apple Watches with an S6 chip or later aren’t vulnerable to this flaw. Macs with Apple silicon chips also are untouched. Still, that likely leaves a fair number of people who are still using affected devices.

“By releasing this exploit publicly, we hope to highlight the real-world impact of these hardware flaws and contribute to a broader understanding of modern SecureROM security,” Paradigm Shift said in its post. “While newer generations have addressed the underlying issue, affected A12 and A13 devices will carry it for the remainder of their lifetime.”

What should you do if you own one of the exploitable devices?

Keep in mind that a hacker would need physical access to your device to exploit the flaw. That means you should always keep your phone in sight so that no one else can grab without your knowledge or permission.

Otherwise, you could follow Paradigm Shift’s own advice and buy a new phone. In its post, the firm said that “affected users should be aware that migrating to newer hardware remains the most effective mitigation.”

Also: Best iPhone: I compared the top models and found the best options for you

If you’ve already been thinking of replacing your older iPhone or iPad with a newer one, this may be the time. You can either opt for one of the current iPhones, such as an iPhone 17 or iPhone Air, or wait until September when Apple is expected to release its new iPhone 18 lineup. Be aware, though, that you’ll likely have to shell out more money for the next generation as Apple has already revealed that it plans to raise prices.





Source link

Leave a Reply

Subscribe to Our Newsletter

Get our latest articles delivered straight to your inbox. No spam, we promise.

Recent Reviews


One of the worst things about the explosion of AI tools is how much more advanced scam calls have become. It’s now entirely possible to get fake calls with voices that sound exactly like people you know. The June Android drop is here to address this (and add some other goodies).

Fake Call Detection

When scammers impersonate your contacts

1. Call spoofing diagram Credit: Google

The aforementioned voice duping is only one part of the scamming process. If the call comes from an unknown number, you’re far more likely to ignore it. That’s why scammers can also make their calls appear to be coming from numbers you trust.

Fake Call Detection is a new feature in the Phone by Google app that pops up an alert when a caller is suspected of impersonating your contacts. The alert says, “This may not be [Name]” and gives you the option to immediately hang up.

Google Photos is your new wardrobe

Digitally store and try on clothes

You may not know it, but there’s an entire category of apps dedicated to allowing people to catalog their wardrobes. Now, Google Photos is hoping to get in on it with a new “Wardrobe” collection.

First, you snap photos of your clothes and let Google Photos neatly put them on a white background. From there, everything can be categorized by item. You can then tap “Create” and put outfits together, which you can digitally try on. It’s a pretty cool feature that many apps charge a fee for.


Personal safety features expand to kids

13 and under

Google is making the Personal Safety app for Pixel phones available to kids under 13. Features include the ability to display medical information, setting emergency contacts on the lock screen, and car crash detection. In addition, kids over 13 can now use Safety Check and real-time sharing with emergency contacts.

“Catch me up” in Google Play Books

Recaps of what you’ve read

Remember Google Play Books? The company’s often overlooked eBook platform is getting a new feature to help you catch up when you haven’t read a book in a while. It works pretty much how you’d expect—AI summarizes what’s happened up until your current position in the book. It’s also possible to highlight text and ask questions about what you’re reading. These features are part of the new “Book Insights” button.

Quick Share 🤝 AirDrop

Now works with more devices

Last year, Google announced that the Pixel 10 series could share content with Apple’s AirDrop through Quick Share. Since then, it has very slowly expanded the functionality to more phones. Now, once again, the company is announcing even more devices.

The previous list was the Pixel 10 series, Galaxy S26 series, Oppo Find X9 series, Find N6, and Vivo X300 Ultra. New entries include the Galaxy S25 series, S24 series, Z Flip 7, Z Fold 7, Z Flip 6, Z Fold 6, Z TriFold, OPPO Find X8 series, OnePlus 15, HONOR Magic V6, and Magic8 Pro.

Keep your eyes peeled for these features to be rolling out to Android devices and the accompanying apps over the next few days and weeks.

Source: Google



Source link