Cybersecurity researchers have uncovered a new security flaw affecting millions of older iPhones.
The vulnerability, identified by security firm Paradigm Shift, impacts seven popular iPhone models powered by Apple’s A12 and A13 Bionic chips.
The affected devices include the iPhone XS, iPhone XS Max, iPhone XR, iPhone 11, iPhone 11 Pro, iPhone 11 Pro Max and iPhone SE (2nd generation).
Experts warn the weakness could allow attackers to gain deep access to affected devices and bypass key security protections.
Once compromised, hackers could potentially steal personal information, install hidden spyware and gain control over sensitive parts of the phone.
According to Paradigm Shift, the vulnerability is located in the BootROM, the first code that runs when an iPhone powers on.
Because the issue exists at the hardware level, it cannot be fully eliminated through a traditional software update.
The vulnerability, identified by security firm Paradigm Shift, impacts seven popular iPhone models powered by Apple’s A12 and A13 Bionic chips (stock)
The Daily Mail has contacted Apple for comment.
The vulnerability has been dubbed ‘usbliter8’ by the researchers who discovered it.
Unlike many security flaws that are fixed through routine software updates, this issue stems from the hardware itself.
At the center of the problem is the BootROM, which is the first code executed when an iPhone powers on.
Because the code is permanently embedded into the processor during manufacturing, it cannot be rewritten later through a standard iOS update.
Researchers said the flaw exploits the USB controller built into the chip.
During startup, the controller temporarily stores incoming USB data packets in a small memory area known as a buffer.
By sending a carefully crafted sequence of unusually small data packets, the researchers found they could manipulate the controller into writing information into protected sections of memory where it should never be allowed to go.
The affected devices include the iPhone XS, iPhone XS Max, iPhone XR, iPhone 11, iPhone 11 Pro, iPhone 11 Pro Max and iPhone SE (2nd generation)
Paradigm Shift described the issue as a hardware design oversight rather than a software bug.
The researchers noted that newer iPhones are not affected because Apple changed the underlying hardware design in later generations of its processors.
Interestingly, some older devices are also immune. The A11 chip used in the iPhone X avoids the issue because its USB driver resets a critical memory pointer after processing each data packet, preventing the exploit from working.
While the vulnerability raises concerns among security experts, the practical risk to most users remains limited.
Unlike many cyberattacks that can be carried out remotely over the internet, exploiting this flaw requires physical access to the device and specialized equipment.
However, security researchers warn that hardware-level vulnerabilities are among the most difficult problems to address because they remain embedded in the silicon long after a device leaves the factory.
In May, iPhone users were alerted to a texting scam that has drained bank accounts.
Lancaster County resident Barbara, who requested her last name not be used, lost $24,000 after receiving a text message that read ‘Apple high alert,’ she told local NBC affiliate WGAL.
The message claimed money had been removed from her bank account, prompting her to call a specific number if she did not move the money herself.
When Barbara called the number, a man said her account had been compromised, and hackers could access her funds, urging her to send her money to a protected bank – and she did exactly that.
Following the scammer’s instructions, Barbara went to her bank, withdrew the money and transferred it to the account she had been given.
Apple has warned users about this type of scheme, known as social engineering, which is a targeted attack that relies on impersonation, deception, and manipulation to gain access to your personal data.
In this attack, scammers will pretend to be representatives of a trusted company or entity over the phone or through other communication methods.
They will often use sophisticated tactics to persuade you to hand over personal details such as sign-in credentials, security codes and financial information.
