Your aging iPhone might be vulnerable to a flaw Apple can't patch

iPhones are not immune to vulnerabilities and exploits. They’ve previously suffered hardware-level exploits like checkm8, and widespread, easy-to-use ones like DarkSword. Now, researchers have found and exploited a new hardware-level BootROM vulnerability on iPhones.

Researchers at Paradigm Shift published an extremely detailed post explaining the “usbliter8” exploit, which leverages a hardware bug in the USB controller and a firmware configuration flaw.

The exploit takes advantage of a flaw in the iPhone’s USB hardware. By sending specially crafted USB data during startup, an attacker can confuse the controller into writing data to the wrong area of memory. This occurs before iOS loads, allowing the attacker to gain control of the boot process and run unauthorized code on the device.

The attack is a bit harder to pull off on devices powered by Apple’s A13 chip because Apple added an extra security feature called Pointer Authentication (PAC). This protection is designed to stop attackers from hijacking important parts of the processor.

However, the researchers say they were still able to find a way around this protection and successfully exploit the chip.

Why Apple can’t fix this

Android often gets criticized for security issues, but the usbliter8 exploit is the kind of flaw that no software update can fix. The vulnerability lies in low-level hardware code permanently built into the affected chips. This code can’t be changed after a device leaves the factory, meaning Apple can’t fix the vulnerability through a software update.

As a result, devices that are vulnerable today will remain vulnerable forever. The only way to completely avoid the flaw is to use a newer iPhone, iPad, or Apple Watch that doesn’t contain the affected chips.

The exploit works on A12 and A13 chips, as well as the S4 and S5 chips. The researchers also note that “technical support for A12X/Z is possible,” but they haven’t implemented it yet.

There’s only a tiny bit of good news here: the exploit requires physical access to the iPhone and doesn’t affect Apple’s Secure Enclave, where the iPhone stores passcodes and encrypted user data. However, the researchers state that it also opens up possible attack vectors that could compromise the Secure Enclave.

Paradigm Shift disclosed the bug to Apple before publishing it. However, since it can’t be patched, there’s really nothing Apple can do to protect those with older devices. The only silver lining here, if you’re looking for one, is that just like checkm8, usbliter8 could also be used to get a working jailbreak for older iPhones.