Apple’s iPhone XR and iPhone 11 families are now linked to a security flaw that cannot be fixed through an iOS update. The issue sits at the most basic level of the system, which means it remains embedded in the device even after software updates.
The discovery matters because it affects models that are still widely used. It also underscores a broader reality for older devices: some risks are no longer software problems, but hardware-level weaknesses that remain in place for the life of the product.
What makes the flaw permanent
Paradigm Shift, a cybersecurity company, disclosed the issue through a proof of concept called usbliter8. The demonstration was released on 18 June 2026 and is said to affect Apple devices using A12 and A13 chips.
The affected lineup includes iPhone XR, iPhone XS, iPhone XS Max, iPhone 11, iPhone 11 Pro, and iPhone 11 Pro Max. iPad Pro models from 2018 and 2019 that use A12X and A12Z chips may also be vulnerable, although that part has not been confirmed.
The reason Apple cannot patch the problem is simple: the flaw lives in SecureROM, also known as BootROM. That code is written into the chip during production, so once the hardware leaves the factory, the weakness is permanently present.
How the attack works
Paradigm Shift says usbliter8 allows an attacker to run arbitrary code on a vulnerable device, but only under strict conditions. The attack cannot be carried out remotely over the internet.
Physical access is required first, followed by a USB connection and entry into Device Firmware Update, or DFU, mode. The company says the process can be completed in less than two seconds once the device is prepared.
After a successful attempt, the exploit leaves a “PWND” marker on the device’s USB serial number. That trace makes the compromise easier to identify, but it does not remove the underlying weakness.
Why the comparison to checkm8 matters
Paradigm Shift compares usbliter8 to checkm8, the BootROM exploit discovered in 2019. Checkm8 affected a wide range of iPhone models, from iPhone 4S through iPhone X.
The comparison highlights the same core problem: if the vulnerability is in BootROM, software patches are not enough. usbliter8 extends that pattern into newer generations built on A12 and A13 chips.
For most users, the finding is less a reason to panic than a reminder to protect devices physically. If an iPhone XR or iPhone 11 can be accessed by someone in person, the risk cannot be fully eliminated through software alone.