Older iPhones have an unfixable security flaw - why it can't be patched and the models affected

Follow ZDNET: Add us as a preferred source on Google.

ZDNET's key takeaways

A security flaw in certain iPhones leaves them vulnerable.

The flaw affects iPhones with an A12 or A13 processor.

The flaw is ROM-based, so Apple can't patch it with a security update.

Do you still use an iPhone 11, XS, XR, or SE? If so, I have some bad news. Yep, another security flaw has been discovered, and Apple can't fix this with one of its typical updates.

In a blog post published on Thursday, cybersecurity firm Paradigm Shift revealed a security vulnerability that it discovered and successfully exploited in older model iPhones with Apple's A12 or A13 chip. Dubbed usbliter8, the flaw affects the boot ROM, aka SecureROM, code of an iPhone, which executes before the operating system loads. By exploiting usbliter8, an attacker could install their own malicious code or run unauthorized commands on a victimized iPhone.

Also: Apple confirms price increases are coming - how much will it cost you?

Because the flaw is in the device's ROM, Apple can't patch it via a software update. The only saving grace is that the flaw can't be triggered remotely. An attacker would need physical access to your phone. They would also need enough time to restart your device and enough know-how to take advantage of the exploit.

Plus, the researchers at Paradigm Shift were unable to bypass Apple's other security safeguards, such as Data Protection. As such, your files, photos, messages, and other user data are not affected by the flaw.

But that doesn't mean there's no cause for concern.

Which iPhone models are affected?

"BootROM vulnerabilities are relatively rare, and when they surface the physical access requirement tends to give organizations a false sense of comfort," Shane Barney, chief information security officer of Keeper Security, told ZDNET. "The assumption is that if an attacker needs to physically hold the device, the risk is contained, and that assumption is worth examining carefully because it does not hold up in practice.

Also: How to download the iOS 27 developer beta (and which iPhone models support it)

"The organizations most exposed to this class of vulnerability are often the ones least likely to see it coming," explained Barney. "Executives, government personnel, legal teams, and anyone carrying a device with access to privileged systems or sensitive data represents a viable target for a physically executed attack, and the opportunities for physical access are more common than most security programs account for."

How can you tell if your device is affected?

Vulnerable iPhones released in 2018 or 2019 with an A12 or A13 processor include the following:

A12 Bionic: Phone XS, XS Max, XR

A13 Bionic: iPhone 11, 11 Pro, 11 Pro Max, iPhone SE (2nd generation)

Other Apple devices with either processor include:

A12 Bionic: iPad Air (3rd generation), iPad mini (5th generation), iPad (8th generation)

A13 Bionic: iPad (9th generation)

Certain Apple Watch models also are vulnerable, specifically those with an S4 or S5 processor. These include the Apple Watch Series 4, Series 5, and the SE (1st generation).

Also: Will your iPhone support Siri AI? The answer is complicated

Older iPhones and iPads with an A11 chip, newer phones with an A14 chip or later, and Apple Watches with an S6 chip or later aren't vulnerable to this flaw. Macs with Apple silicon chips also are untouched. Still, that likely leaves a fair number of people who are still using affected devices.

"By releasing this exploit publicly, we hope to highlight the real-world impact of these hardware flaws and contribute to a broader understanding of modern SecureROM security," Paradigm Shift said in its post. "While newer generations have addressed the underlying issue, affected A12 and A13 devices will carry it for the remainder of their lifetime."

What should you do if you own one of the exploitable devices?

Keep in mind that a hacker would need physical access to your device to exploit the flaw. That means you should always keep your phone in sight so that no one else can grab without your knowledge or permission.

Otherwise, you could follow Paradigm Shift's own advice and buy a new phone. In its post, the firm said that "affected users should be aware that migrating to newer hardware remains the most effective mitigation."

Also: Best iPhone: I compared the top models and found the best options for you

If you've already been thinking of replacing your older iPhone or iPad with a newer one, this may be the time. You can either opt for one of the current iPhones, such as an iPhone 17 or iPhone Air, or wait until September when Apple is expected to release its new iPhone 18 lineup. Be aware, though, that you'll likely have to shell out more money for the next generation as Apple has already revealed that it plans to raise prices.