Security research firm Paradigm Shift today released details of a new BootROM vulnerability affecting Apple’s A12 and A13 chips, along with a working proof-of-concept exploit codenamed “usbliter8.”
BootROM, or SecureROM, is the first code an iPhone executes when it turns on. Because it is built directly into the chip during manufacturing, any vulnerabilities found there cannot be fixed by a software update, meaning affected devices will remain vulnerable for the rest of their lives.
The last publicly known BootROM exploit of this type was “checkm8”, released in 2019, which affected devices from the iPhone 4S to the iPhone X. usbliter8 now extends this story to the next generation of chips, covering the iPhone XS up to the iPhone 11 series.
The exploit works by taking advantage of a bug in the USB controller built into Apple chips. When an iPhone receives USB data during startup, the controller uses a buffer to store incoming packets. Paradigm Shift discovered that by sending a specific sequence of unusually small packets, they could manipulate an internal hardware pointer to move it backwards in memory, allowing data to be written to locations it should never reach. Researchers say it appears to be a bug in the USB controller hardware itself, not Apple’s software.
The A11 chip, used in the iPhone X, is not affected because its USB driver manually resets the pointer after each packet. A14 and later chips are also safe, as they correctly configure a memory protection function at the BootROM level. The A12 and A13 sit in a vulnerable middle ground between the two.
On A12 devices, getting code executed is relatively simple. On A13 devices, things are considerably more difficult because Apple introduced a security feature called Pointer Authentication Codes (PAC), which detects and blocks certain types of memory tampering. Paradigm Shift says that working around PAC on the A13 required a lengthy, multi-step process before researchers could finally take control of the processor.
Once under control, the exploit installs a custom handler that survives device reboots and adds two features: temporarily lowering the device’s security settings and starting unsigned software without any verification checks. It also injects the traditional “PWND” string into the iPhone’s USB serial number to signal that the device has been compromised, a convention that echoes that of checkm8 and earlier exploits.
Paradigm Shift notes that while usbliter8 does not directly affect Secure Enclave, a BootROM compromise of this type opens wider avenues for attacking it. The company says it reported its findings to Apple Product Security before their release and worked with Apple on a coordinated disclosure. The full proof-of-concept code was published with the article on ps.tc.
