Older iPhones vulnerable to a flaw Apple can’t fix

Researchers have discovered a vulnerability with older iPhones that Apple can't patch.

The team at Paradigm Shift, an independent European cybersecurity firm, published its findings on the flaw, which it calls usbliter8, on its blog on Thursday.

Researchers exploited flaws in the USB controller and the device's firmware to override the boot process (when the phone turns on) and gain control of the device before iOS loads, and even run unauthorized software.

The issue exists within SecureROM, the code that runs when an iPhone turns on, which is embedded in certain chips. Apple can't fix these flaws, as the code can't be extracted from the chips.

Paradigm Shift reported the vulnerability to Apple before publishing it.

The impacted chips are A12 and A13. Here are the impacted iPhone models with A12 and A13 chips, as reported by AppleInsider:

• iPhone 11

• iPhone 11 Pro

• iPhone 11 Pro Max

• Second-generation iPhone SE

• iPhone XR

• iPhone XS

• iPhone XS Max

S4 and S5 chips, which power some iPad and Apple Watch models, are also affected. Here are the impacted models, according to AppleInsider:

• Eighth and ninth generation iPad

• Third-generation iPad Air

• Fifth-generation iPad Mini

• First and second generation 11-inch iPad Pro

• Third and fourth generation 12.9-inch iPad Pro

• First-generation Apple Watch SE

• Apple Watch Series 4 and 5

Paradigm Shift notes that technical support for the A12X and A12Z chips is possible but hasn't been implemented; this also affects the 2018 and 2019 iPad Pro models, AppleInsider reported.

The exploit requires physical access to the iPhone. Paradigm Shift wrote that it opens up different paths that could allow attackers to compromise Apple's Secure Enclave Processor, which stores encrypted data and passcodes.

"As these vulnerabilities reside in immutable code, affected users should be aware that migrating to newer hardware remains the most effective mitigation," Paradigm Shift's blog post states. Meaning: The best way to avoid this vulnerability is to get a new device.