Physical access can bypass protections before iOS begins.
CUPERTINO, United States | June 2026
Security researchers have identified a serious vulnerability affecting several older iPhone, iPad and Apple Watch models built with Apple’s A12, A13, S4 and S5 chips. The flaw, known as usbliter8, cannot be permanently corrected through an iOS or watchOS update because it exists inside immutable startup code embedded in the hardware. A definitive solution therefore requires replacing the affected device with a newer model. The discovery shows how some security weaknesses can survive every software patch available to the manufacturer.
The vulnerability was found by Paradigm Shift, an independent European cybersecurity firm. Researchers traced the problem to the way USB controllers in the affected chips manage data between transfers. Under certain conditions, memory addresses are not reset correctly, allowing an attacker to place unauthorized code inside protected areas of the processor. This can interfere with the device before the normal operating system and its security controls have fully loaded.
The weakness affects SecureROM, the first code executed when the device starts. SecureROM is permanently written into the chip during manufacturing and establishes the chain of trust used to verify the software that follows. Unlike ordinary firmware, it cannot be extracted, rewritten or replaced through a standard update. Once a defect exists at that level, the manufacturer has no conventional method for removing it from devices already in circulation.
Affected iPhones include the iPhone XR, iPhone XS, iPhone XS Max, iPhone 11, iPhone 11 Pro, iPhone 11 Pro Max and the second-generation iPhone SE. Several iPads are also exposed, including the eighth- and ninth-generation iPad, third-generation iPad Air, fifth-generation iPad mini and multiple iPad Pro models. The Apple Watch Series 4, Series 5 and first-generation Apple Watch SE are included as well. Some devices using the A12X and A12Z chips may also be vulnerable, although practical exploitation support remains incomplete.
The attack is not remote and cannot normally be launched simply by sending a message, email or malicious website. An attacker must physically possess the device and connect it to external hardware, such as a Raspberry Pi or another specialized system. That requirement significantly reduces the threat for users who keep their devices under control. It becomes more serious when a phone, tablet or watch is lost, stolen, confiscated or temporarily accessed by another person.
Once connected, the exploit can interrupt the normal startup process and execute unauthorized software before iOS begins enforcing its usual protections. This may allow the attacker to bypass restrictions, install low-level tools or examine information stored on the device. Researchers also warned that the technique could potentially reach the Secure Enclave Processor, which protects encryption keys, passwords and other sensitive data. The practical consequences would depend on the device configuration and the attacker’s technical capabilities.
This does not mean that every affected iPhone is immediately compromised. The exploit still requires physical access, specialized knowledge and additional equipment. Strong passcodes, encryption and current software remain important because they can increase the difficulty of extracting useful information. The vulnerability nevertheless weakens the assumption that a locked older device remains fully protected once it leaves the owner’s possession.
Paradigm Shift reported the issue to Apple before publishing its findings. The researchers acknowledged the company’s cooperation during the coordinated disclosure process. Apple can still introduce software mitigations that make exploitation more difficult or restrict some attack paths. It cannot, however, rewrite the defective SecureROM code already embedded inside the vulnerable chips.
The only complete remedy is moving to hardware that does not contain the flaw. Devices using the A14 chip or later generations are not included in the reported affected group. Users who store sensitive professional, financial, medical or personal information may therefore need to evaluate whether continued use creates an unacceptable risk. Replacement becomes especially important for journalists, executives, public officials, activists and others who may face targeted physical access.
For ordinary users, the immediate priority is protecting possession of the device. Phones should not be left unattended in public spaces, repair shops or environments where unauthorized access is possible. Lost devices should be placed into Lost Mode through Apple’s location services and remotely erased when recovery appears unlikely. Users should also maintain secure backups before replacing older hardware.
The discovery creates a difficult decision for people whose devices still function well. An iPhone 11 or iPhone XS may continue receiving some security updates and remain capable of everyday tasks. Replacing it solely because of a physical-access vulnerability may seem excessive for users with limited exposure. The appropriate response depends on the sensitivity of the stored information and the likelihood that another person could obtain the device.
The case also illustrates a broader limit of long-term software support. Manufacturers can patch applications, operating systems and many forms of firmware, but some hardware-level defects remain permanent. As devices age, security depends not only on whether updates continue arriving but also on whether their processors contain weaknesses discovered years after production. A product can therefore remain operational while no longer offering the strongest available protection.
Users should avoid interpreting the finding as evidence that older Apple devices are useless or automatically unsafe. The attack is technically demanding and requires direct control of the hardware. However, the inability to eliminate the flaw means the risk cannot be reduced to zero through routine maintenance. In security-sensitive situations, newer hardware becomes the only reliable answer.
Usbliter8 turns device replacement from a performance choice into a potential security decision. The vulnerability sits below iOS, beyond the reach of ordinary updates and inside the code that determines whether the rest of the system can be trusted. Owners can reduce exposure through careful handling, strong credentials and remote-locking tools. They cannot remove the underlying defect without leaving the affected hardware behind.
Security begins where software can no longer reach. / La seguridad comienza donde el software ya no puede llegar.