A newly published report from security researchers at Paradigm Shift has identified a serious security flaw baked into the hardware of several Apple devices. The exploit, named “usbliter8”, targets Apple’s USB controller and cannot be patched through a software update. That’s because the bug lives in the chip itself, not in iOS.
According to GSMArena, the flaw affects all devices built on Apple’s A12, A13, S4, and S5 chips. Apple worked with the researchers during the disclosure process, but the conclusion is straightforward: the only real fix is to move to a newer device.
Hardware-level vulnerabilities like this are rare but particularly serious because they sit below the operating system. No iOS update, no matter how thorough, can address a flaw that exists in silicon. That puts affected device owners in a difficult position.
The affected devices include:
- iPhone XR, iPhone XS, iPhone XS Max
- iPhone 11, iPhone 11 Pro, iPhone 11 Pro Max
- iPhone SE (second generation)
- iPad Air (third generation), iPad mini (fifth generation), iPad (eighth and ninth generations)
- Apple TV 4K (second generation)
- Apple Watch Series 4, Series 5, and Apple Watch SE
- Studio Display
The attack works by exploiting a bug in the USB controller combined with a specific configuration flaw in the device’s firmware. When an affected device is placed in DFU (Device Firmware Update) mode, an attacker can send carefully crafted data over USB. This confuses the USB controller into writing data to the wrong area of memory, which allows someone to inject custom code before iOS even starts loading. From there, they can bypass Apple’s signature checks and run modified system software.
There is one important limit here. The attacker needs the physical device in their hands. This isn’t something that can be done remotely over Wi-Fi or a network connection. That makes the practical risk lower for most people, but it’s still a real concern in scenarios like theft, border crossings, or law enforcement access.
The Security Enclave, which is where your passcode, biometric data, and encrypted keys are stored, is not affected by this exploit. So someone using this flaw cannot directly pull your passwords or decrypt your stored data through this method alone. That’s a meaningful boundary, even if the rest of the system is exposed.
What makes this particularly notable is that Apple’s older A11 chip, used in the iPhone X and iPhone 8 series, is not affected. The flaw appears to be specific to how certain later chips handle USB communication and firmware configuration, which means it’s not simply a case of older hardware being more vulnerable across the board.
For users still running affected devices, the practical advice is simple but not cheap: upgrade if you can, especially if your phone contains sensitive personal or work data. Short of that, keeping a strong passcode and being aware of when your device leaves your physical control are the best defenses available right now.