Apple devices have unfixable security flaw, researchers warn
Apple's new security flaw enables attackers to load modified system software onto the device, gaining deep access to the operating system
Security researchers at Paradigm Shift have disclosed an unfixable hardware vulnerability affecting millions of Apple devices. The flaw, named "usbliter8", exists in the USB controller and cannot be patched through software updates.
The vulnerability stems from a combination of hardware defects and firmware design flaws in Apple's A12, A13, S4, and S5 chips. The hardware-level nature means existing devices cannot be secured remotely; device replacement is the only long-term fix.
An attacker must first enter device firmware update mode and then send specially crafted data through USB. This confuses the USB controller, causing memory to be written in unintended locations. The corruption allows custom code to execute before iOS fully boots, bypassing signature verification.
It enables attackers to load modified system software onto the device, gaining deep access to the operating system itself.
The Secure Enclave, an isolated coprocessor that deals with encryption and biometrics, is not impacted by usbliter8 at all. It follows that any kind of encrypted data, such as passwords and user credentials, is secured no matter what.
Devices affected include the following: iPhones XR, XS, XS Max, iPhone 11, all iPhone 11s, and iPhone SE; iPads Air 3, mini 5, and iPad 8-9; Apple Watch Series 4, Series 5, and Apple Watch SE; Apple TV 4K (2nd generation); and Studio Display.
Since exploitation of the vulnerability requires physical access, remote attacks are not possible. However, for those who have their devices stolen, this vulnerability becomes a problem.
-
Meta faces lawsuit over alleged AI-based layoff discrimination
-
Australia’s under-16 social media ban fails first age checks: report
-
Google under major investigation in Switzerland over Android search defaults
-
SoftBank’s Masayoshi Son predicts AI will generate 20% of global GDP by 2040
-
Big Tech under fire as Australia uncovers serious child safety failures: report
-
YouTube's algorithm still exposes teens to eating disorder videos, study finds
-
Canadian regulator warns banks of cyber threats, citing Anthropic's Claude Mythos
-
New Android malware can drain bank accounts silently