A security researcher who goes by the pseudonym “axi0mX” has discovered a supposedly unpatchable iOS vulnerability affecting six generations of Apple Inc. devices.

The anonymous exploit finder published code demonstrating the bug on GitHub earlier today, and, just hours later, members of the cybersecurity community appear to have verified that it works. The vulnerability is found in iOS devices released from 2012 to 2017. That means tens of millions of consumers’ iPhones and iPads may be vulnerable worldwide, though it appears Apple’s newest handsets are safe.

The exploit takes advantage of weaknesses in an iOS component called the bootrom. It’s the first piece of software that activates when a user turns on their handset and is responsible for loading the rest of the operating system, as well as checking for potential security problems. 

What makes the issue difficult to fix is that the bootrom runs on an unmodifiable memory chip to protect it from tempering. Apple can’t simply release a patch over the air like it does for regular security bugs because there’s no way to change the vulnerable code. The iPhone maker could theoretically recall affected models and physically update their motherboards, but barring that possibility, concerned users’ best option is to buy a new device.

The exploit can be abused to “jailbreak” iOS handsets in order to gain complete control of the operating system. This level of access to a device would give a hacker the ability to read encrypted files, access apps and plant malware for future attacks.

The only silver lining is that, just like fixing the bug would require Apple technicians to modify the motherboard physically, exploiting it requires direct access to a device. That means iOS users probably won’t have to worry about hackers remotely hacking their phone via the web or an infected app.

Even so, the exploit represents a major security issue: The last iOS bootrom vulnerability was discovered all the way back in 2009. 

Photo: Unsplash