Millions of iPhones Affected by Unpatchable USB Security Flaw

Security researchers have revealed a major hardware-level vulnerability affecting several Apple devices, including millions of iPhones, iPads, Apple Watches, and other Apple products.

The flaw, named “usbliter8,” was disclosed by researchers at Paradigm Shift. According to their report, the vulnerability is connected to the USB system and certain Apple silicon chips.

Why the Flaw Cannot Be Patched

Researchers said the issue is caused by a hardware bug in the USB controller, along with a firmware configuration weakness. Because the flaw exists at the hardware level, it cannot be fully fixed through a normal software update.

However, the vulnerability is not remotely exploitable. An attacker would need physical access to the affected device to take advantage of it.

How the Exploit Works

The exploit becomes possible when a device is placed in Device Firmware Update, or DFU, mode. In this state, specially crafted data can be sent through USB to confuse the device’s USB controller.

This may force the controller to write data into the wrong memory area. As a result, an attacker could run custom code before iOS starts, potentially bypassing signature checks and loading modified system software.

Researchers noted that the exploit does not compromise Apple’s Security Enclave. This means sensitive encrypted data, including passcodes and other protected information, remains secured by the device’s dedicated security hardware.

Apple Devices Affected by usbliter8

The usbliter8 vulnerability affects devices powered by Apple’s A12, A13, S4, and S5 chips.

Affected devices include:

• iPhone XR
• iPhone XS
• iPhone XS Max
• iPhone 11
• iPhone 11 Pro
• iPhone 11 Pro Max
• iPhone SE
• iPad Air 3
• iPad mini 5
• iPad 8
• iPad 9
• Apple TV 4K, second generation
• Studio Display
• Apple Watch Series 4
• Apple Watch Series 5
•