A New Exploit Exposes a Permanent Flaw in Older iPhones (But Don’t Panic)

If you’re still toting a 2018 or 2019 iPhone model, we have some potentially bad news: security researchers have just discovered an “unpatchable” security vulnerability for two major Apple silicon chips — along with a working proof-of-concept that can be used to exploit the flaw.

Paradigm Shift, a security research firm, published a blog post today outlining a “novel iPhone BootROM vulnerability” its team discovered in Apple’s A12 and A13 SoCs — the chips used in the iPhone XS, iPhone XS Max, iPhone XR, iPhone 11, iPhone 11 Pro, iPhone 11 Pro Max, and the second-generation iPhone SE model released in early 2020.

Several iPad models also use these chips, predominantly the A12, found in the 2019 iPad Air (3rd generation) and 2020 iPad (8th generation). Researchers believe the flaw also exists in the A12X and A12Z chips used in the iPad Pro models released in 2018 and 2020 — the last ones released before the transition to the M-series chips with the 2021 models.

The vulnerability also exists in the S4 and S5 chips found in the Apple Watch Series 4, Series 5, first-generation Apple Watch SE, and perhaps most crucially, the HomePod mini — the one device on this list that’s still actually sold by Apple and therefore very much in active use today.

As you’ve probably guessed from the word “unpatchable,” this is a hardware-level flaw that can’t be fixed with a software update. It’s a problem baked right into the design of these chips — specifically in the USB controller — and therefore makes them permanently vulnerable to compromise. The only way to “patch” this flaw is to replace the device with a newer model.

Should You Be Concerned?

Before you panic and start tossing your HomePod mini and iPhone 11 out the window, it’s worth mentioning that this particular vulnerability has a very narrow and specific attack vector.

This security flaw cannot be used to hack your iPhone remotely over Wi-Fi or cellular networks; it requires the attacker to have a physical USB connection to the device to inject the malicious code.

That’s because the flaw exists in the USB controller that Apple uses in its chips. What it actually does is allow an attacker to upload malicious code into the memory space normally occupied only by signed code from the SecureROM — a portion of the system that’s normally tamperproof. Since the code in the SecureROM runs at a very low level, it ends up with access to pretty much the entire system.

That said, there are still some significant limits on how much this compromised ROM code can do, thanks to Apple’s hardware encryption and Secure Enclave Processor (SEP). By default, everything on your iPhone, iPad, or Apple Watch is encrypted using a key derived from your passcode and a unique and unrecoverable hardware key that’s burned into the SEP at fabrication time. This vulnerability only impacts the main processor — the A12, A13, S4, or S5. The SEP is an entirely separate co-processor that security researchers have never been able to fully compromise.

This is also where the most sensitive biometric and payment data is stored, including Face ID and Touch ID information and payment cards added to Apple Pay.

While the researchers at Paradigm Shift have confirmed that the SEP remains off-limits to their proof-of-concept exploit, they do add that the flaw “opens up wider attack vectors to compromise the Secure Enclave.” That’s because code that runs from the SecureROM has “God Mode” control over the main processor from the exact millisecond the device powers on, giving it a unique foothold to launch attacks on the SEP fortress.

So, What’s the Real Risk Here?

While an unpatchable hardware flaw sounds pretty alarming at first glance, this is something the vast majority of Apple users won’t ever need to be concerned about. That’s because exploiting this is the very definition of a “targeted” attack, and it’s likely to be far more useful for shadowy three-letter government agencies and forensic specialists in criminal investigations.

The real application for this exploit is more about GrayKey-style digital forensics or injecting short-term spyware. While the SEP makes brute-forcing or extracting data nearly impossible for anyone with a highly secure passcode, tools like GrayKey use this type of flaw as a mandatory first step to attack the device locally. It could also be used to monitor data feeds in real time, turning a HomePod into an eavesdropping device, or tracking someone’s location from their Apple Watch.

While the code injection attack only requires a few seconds to deploy, it still requires a physical, wired connection to the target device. That makes an iPhone the most vulnerable to this due to its easily accessible port. By contrast, an Apple Watch is typically attached to a person’s body and has a diagnostic port that’s both harder to access and requires a specialized cable. Most HomePod mini smart speakers are also typically kept in relatively secure locations, meaning an attack would have to either be initiated by a housemate or someone breaking in to plant malware on the device.

That’s already the stuff of spy novels, but there’s another important wrinkle here. The SecureROM remains immutable — that’s what “Read Only Memory” means — so the exploit only works by injecting the malicious code into the temporary memory workspace used by the SecureROM at boot time. That means as soon as you reboot your iPhone, iPad, Apple Watch, or HomePod mini, the dodgy code vanishes. It has to be re-injected over a USB connection every time the device is booted up. Now you know why the NSA recommends people power off their iPhones at least once a week.

At the end of the day, this is a flaw that’s of great interest to security researchers, and we’re sure the jailbreak community is also looking at positive ways to help in their efforts to mod iPhones, but unless you’re someone who expects to be the target of a forensic or espionage action, it’s highly unlikely to ever affect you.