iPhone Security Flaws: What Businesses Should Know About Older Devices

Older iPhone models have been found to contain a hardware-level security flaw that cannot be fully resolved through a standard software update. This article looks at which devices may be affected, why the issue matters, and what businesses should consider when managing older mobile devices across their organisation.

Mobile devices are now an essential part of everyday business operations. Employees use phones to access email, business applications, customer data, authentication tools, cloud platforms and internal systems. As a result, mobile security is not simply an IT issue. It is part of wider cyber security, data protection and operational resilience.

Recent reporting has highlighted a vulnerability affecting older Apple devices powered by Apple’s A12 and A13 chips. The issue, nicknamed “usbliter8” by researchers, is significant because it sits deep within the device hardware, rather than within Apple’s iOS software. This means it cannot be fully removed through a routine software update in the same way as many other security vulnerabilities.

What Is the Issue?

The vulnerability relates to the early boot process of affected devices. In simple terms, this is the stage that begins when a device powers on, before the main operating system has fully loaded.

Security researchers have reported that the flaw can allow code execution at a very low level of the device. Because this part of the system is built into the hardware during manufacture, it cannot be rewritten or fully corrected through a normal iOS update.

That makes the vulnerability different from many of the software issues that businesses are used to managing. With a typical software vulnerability, the answer is often to update the operating system, apply a patch and confirm that the device is running the latest version. In this case, keeping devices updated remains important, but it cannot fully remove the underlying hardware weakness.

Which Devices Are Affected?

The issue affects devices using Apple’s A12 and A13 chips. Reported affected iPhone models include:

• iPhone XS
• iPhone XS Max
• iPhone XR
• iPhone 11
• iPhone 11 Pro
• iPhone 11 Pro Max
• iPhone SE, second generation

Some other Apple devices using related chips may also be affected, including certain iPad and Apple Watch models.

Older models using Apple’s A11 chip, such as the iPhone X, are reported not to be affected in the same way because of differences in how the USB driver handles data. Newer devices using later chip designs are also understood not to be affected by this particular exploit path.

Why the Risk Should Be Put in Context

Although the vulnerability is serious, it is important to understand the practical risk.

This is not currently described as a remote attack that can be carried out simply by sending a message, email or link. Reports indicate that an attacker would need physical access to the device and specialist knowledge or equipment to exploit the flaw.

That distinction matters. For most everyday users, the immediate risk may be lower than with a widely exploited remote vulnerability. However, for businesses, the issue should still be taken seriously because corporate devices often hold or provide access to sensitive systems and data.

The risk becomes more significant if an affected device is lost, stolen, confiscated, left unmanaged or used by people with access to sensitive information. In those circumstances, physical access to the device could create an opportunity for deeper compromise.

Why This Matters for Businesses

Many organisations continue to use older mobile devices for cost, convenience or compatibility reasons. In some cases, devices are issued to staff and managed centrally. In others, employees may use their own devices to access business systems under a bring-your-own-device policy.

Both models create risk if older devices are not properly inventoried, monitored and managed.

Businesses need to know which devices are in use, which chipsets or operating system versions they rely on, whether they still receive security support, and what level of access they have to corporate systems. Without that visibility, organisations may not know whether affected devices are being used to access email, cloud storage, authentication apps, customer records or financial platforms.

This is particularly important for organisations in regulated sectors, or those handling confidential, personal or commercially sensitive data.

Software Updates Still Matter

Even where a hardware-level issue cannot be fully removed, software updates should not be ignored.

Keeping devices updated remains one of the most important cyber security controls. Updates can address other vulnerabilities, improve wider system security and reduce the overall risk of compromise. Businesses should continue to ensure that iPhones, iPads and other mobile devices are running supported operating systems and receiving current security updates.

However, this incident is a reminder that software updates are only one part of device security. Organisations also need to think about the full lifecycle of the devices they use, including procurement, configuration, monitoring, support, loss reporting, decommissioning and replacement.

Practical Steps Organisations Should Consider

Businesses should start by reviewing their mobile device inventory. This should include company-owned devices and, where relevant, personal devices that are permitted to access business systems.

Where older iPhone models are identified, organisations should consider what they are used for, who uses them and what systems they can access. A device used only for basic communication may present a different level of risk from a device used by a senior employee, finance team member or administrator with access to sensitive systems.

Mobile device management should also be reviewed. Businesses should consider whether they can enforce security settings, require strong passcodes, control access to corporate apps, manage updates, remove business data remotely and restrict access where devices fall out of compliance.

Lost and stolen device procedures should be clear and well understood. Staff should know how to report a missing device quickly, and organisations should have a process for disabling access, revoking sessions, resetting credentials and reviewing whether any sensitive data may have been exposed.

Staff should also understand their role in mobile device security. This includes reporting lost or stolen devices immediately, avoiding unknown or untrusted USB connections, keeping devices updated and following company procedures when accessing business systems. Where employees use their own devices, organisations should make minimum security standards clear, including what happens if a device is no longer supported or falls outside policy.

For higher-risk roles or environments, businesses may also need to review whether affected devices should continue to be used, or whether they should be replaced with newer models that are not affected by this specific hardware issue.

Device Lifecycle Is a Cyber Security Control

The issue also highlights a wider point: device lifecycle management is an important part of cyber security.

Older devices may continue to work well from a user perspective, but that does not always mean they remain appropriate for business use. As hardware ages, organisations need to assess whether devices still meet security expectations, supplier support requirements and internal risk appetite.

This does not mean every organisation must immediately replace every older device. It does mean businesses should make informed decisions based on risk, rather than relying on convenience or assuming that a working device is automatically a secure device.

A structured approach to device lifecycle management can help organisations decide when to retain, restrict or retire devices, based on the sensitivity of the data and systems they can access.

How AJC Can Help

At AJC, we help organisations understand and manage cyber security risks across their people, processes and technology.

Our team can support businesses in reviewing mobile device security, assessing the risks created by older or unsupported devices, and identifying gaps in policies, procedures and technical controls. This can include reviewing access controls, device management arrangements, incident response processes and the way mobile devices are used to access sensitive systems.

We can also help organisations consider how device lifecycle management fits into wider cyber security governance, operational resilience and data protection requirements.

For businesses preparing for Cyber Essentials or Cyber Essentials Plus, mobile devices may form part of the assessment scope. AJC can help organisations understand what is in scope, identify common gaps and prepare with greater confidence.

Final Thoughts

The reported iPhone vulnerability is a useful reminder that cyber security is not only about software patches and passwords. Hardware, device age, physical access and asset management all matter.

For many businesses, the immediate priority should be visibility. Organisations need to know which devices are being used, what they can access and whether they still meet internal security expectations.

As mobile devices continue to play a central role in business operations, device management should be treated as part of cyber resilience. Understanding the risk now can help organisations make better decisions before a lost, stolen or unmanaged device becomes a bigger issue.

Contact us on 020 7101 4861 or email us at info@ajollyconsulting.co.uk if you think we can help.

Sources:

Daily Mail. Millions of iPhone users facing security flaws. Available at: https://www.dailymail.com/sciencetech/article-15914579/iphone-security-breach-bootrom-vulnerability.html

The Hacker News. Unpatchable ‘usbliter8’ Exploit Breaks Apple A12 and A13 SecureROM Boot Chain. Available at: https://thehackernews.com/2026/06/unpatchable-usbliter8-exploit-breaks.html

AppleInsider. A12 & A13 Apple devices face an unpatchable SecureROM vulnerability. Available at: https://appleinsider.com/articles/26/06/18/a12-a13-apple-devices-face-an-unpatchable-secure-rom-vulnerability

TechRadar. Apple users told to watch out for ‘unpatchable’ iPhone security issues. Available at: https://www.techradar.com/pro/security/apple-users-told-to-watch-out-for-unpatchable-iphone-security-issues-heres-what-we-know

Image accreditation: Bagus Hernawan (November 2017) from Unsplash.com. Last accessed on 23 June 2026. Available at: https://unsplash.com/photos/person-holding-space-gray-iphone-7-A6JxK37IlPo