Researchers at cybersecurity firm Paradigm Shift have revealed a newly discovered exploit called usbliter8 that bypasses core boot protections on millions of older Apple devices, including iPhones powered by A12 and A13 chips.
The research details an attack against SecureROM, the first code that runs when an Apple device powers on, and the foundation of the companyās secure boot process. Because SecureROM is embedded directly into hardware during manufacturing, flaws at this level cannot be fixed through normal software updates.
The researchers said the exploit combines a hardware issue in a USB controller with a firmware configuration weakness to break Appleās boot chain and gain deep system access.
āBy publishing this research and the accompanying proof of concept, we aim to document the real-world impact of this class of hardware vulnerabilities, contribute to the broader understanding of modern BootROM security, and demonstrate that even recent SecureROM generations remain susceptible to subtle hardware flaws,ā Paradigm Shift wrote in its disclosure.
How the bug works
According to Paradigm Shift, the issue stems from the Synopsys DWC2 USB controller used in affected chips.
The controller manages incoming USB setup data through direct memory access (DMA). Researchers found a mismatch in how the controller handles incoming packets and resets memory pointers. Under specific conditions, that mismatch causes the memory pointer to move backward and overwrite areas of memory that should remain protected.
On affected A12 and A13 devices, Appleās SecureROM configuration leaves the USB Data Address Resolution Table (DART) configured to allow unintended writes to reach critical system memory. The exploit ultimately gives attackers a path to take control of processor execution before Appleās signed boot process fully loads.
Which devices are affected
The exploit currently supports Apple chips, including A12, A13, S4, and S5, which power devices such as the iPhone XS, iPhone XR, iPhone 11 lineup, and Apple Watch Series 4 and 5. The researchers also noted that support for A12X and A12Z may be possible but is not currently implemented.
Researchers said A11 devices are not affected because their USB driver resets DMA addresses differently. Devices using A14 chips and newer generations also appear to be protected due to changes in SecureROMās DART configuration.
Must-read security coverage
What attackers could do
The exploit is not remote and requires physical possession of a device.
Researchers said an attacker would need to place a target device into Device Firmware Update (DFU) mode and connect specialized hardware through USB. Once successful, the exploit can bypass Appleās signature checks and achieve privileged code execution before the operating system starts.
The proof-of-concept demonstrates capabilities such as temporarily lowering security restrictions and booting unsigned iBoot images.
āAlthough usbliter8 doesnāt affect SEP itself, it opens up wider attack vectors to compromise the Secure Enclave,ā Paradigm Shift researchers explained. Researchers stressed that the exploit does not directly expose user data because Appleās Secure Enclave Processor remains a separate security boundary.
Echoes of Checkm8
The discovery has drawn comparisons with Checkm8, the BootROM exploit revealed in 2019 that permanently affected earlier generations of iPhones.
Like Checkm8, usbliter8 cannot be removed with a firmware update because the vulnerable code is embedded in the silicon itself. The practical risk for most users remains limited because exploitation requires physical access, but the findings could be significant for forensic tools and high-security environments where device custody matters.
Paradigm Shift said it disclosed the findings to Apple Product Security before publicly releasing the details. The company added that moving to newer hardware is currently the most effective long-term protection for affected users.
For most users, the immediate takeaway is not panic but device lifecycle awareness: keep devices updated, protect physical access, and move sensitive users to newer hardware when possible. For Apple, usbliter8 is another reminder that SecureROM flaws are small cracks with long shadows, because once they ship in silicon, they tend to stay there.
Also read: For another recent Apple security issue, check out our coverage of the Bluetooth flaw Apple patched in Beats Studio Buds, which could have allowed nearby attackers to access sensitive device information.
Read the full article here
