A security research firm has published details of a new vulnerability affecting two generations of Apple CPUs that cannot be fixed through software updates.

Security research firm Paradigm Shift has published details of a vulnerability in the BootROM of Apple’s A12, S4/S5, and A13 mobile chips, along with a working proof-of-concept exploit.

The A12 processor came out in 2018, and the A13 came out one year later. The A12 was used in the iPhone XS/XR family, iPad Air 3, iPad mini 5, iPad 8, Apple TV 4K (2nd gen). The A13 was used in the iPhone 11 family, iPhone SE (2020), and iPad 9.

The exploit affects the BootROM, or SecureROM, which is the first code an iPhone/iPad runs when it powers on. Unlike a PC BIOS, any vulnerability cannot be fixed with a software update. So affected devices will be forever vulnerable and unfixable.

The exploit takes advantage of a bug in the USB controller in Apple’s chips. Paradigm Shift says this bug appears to be a bug in the USB controller hardware itself and is not Apple’s fault.

The researchers found that by sending a specific sequence of smaller-than-expected packets, they could manipulate an internal hardware pointer in such a way as to cause it to walk backwards through memory, allowing data to be written to locations it should never be able to reach.

Gaining code execution is said to be relatively easy on A12 devices, but it’s more challenging on A13 devices, because Apple introduced a security feature called Pointer Authentication Codes (PAC), which detects and blocks certain types of memory tampering. Paradigm Shift says it had to do a lot more work to get around PAC but eventually it did take control of the processor.

Once in control, the exploit overwrites the USB IRQ handler and installs a custom handler that survives a device restart and adds two capabilities: it temporarily lowers the device’s security settings and allows for booting unsigned software without any verification checks. Adding insult to injury, it also adds a “PWND” string into the iPhone’s USB serial number as a signal that the device has been compromised.

Paradigm Shift says it reported its findings to Apple security before publication and worked with Apple on coordinated disclosure.

If there is any good news in all of this, it’s that it only affects older processors, and therefore older devices, which are likely not in wide use anymore. But if you own a device with these compromised chips, just know that there is no defending against the exploit.