Unpatchable ‘usbliter8’ Exploit Compromises Apple A12 and A13 SecureROM Boot Chain
A significant security vulnerability has emerged, identified as usbliter8, which allows for arbitrary code execution within the SecureROM of Apple’s A12 and A13 chipsets. This exploit, developed by researchers at Paradigm Shift, poses a serious risk as it exploits a hardware flaw that cannot be mitigated through software updates. Devices affected by this flaw will retain it for their entire operational lifespan.
The exploit requires physical access to the device, which must be placed in Device Firmware Update (DFU) mode and connected to a specialized RP2350-based microcontroller board via USB. Once set up, the exploit can be executed in under two seconds, before the device’s signed boot chain is initiated. The full technical documentation and a proof of concept were publicly released on June 18, 2026, following a coordinated disclosure with Apple Product Security.
Affected Devices
The public proof of concept supports several System on Chips (SoCs), including A12, A13, S4, and S5. While support for A12X and A12Z is theoretically feasible, it has not yet been implemented.
The device families impacted by this vulnerability include:
- iPhone XS, XS Max, and XR
- iPhone 11, 11 Pro, and 11 Pro Max
- iPhone SE (2nd generation)
- iPad Air (3rd generation), iPad mini (5th generation), and iPad (8th generation)
- Apple Watch Series 4 and 5, first-generation Apple Watch SE
- HomePod mini and other Apple products utilizing these chips
Notably, devices using the A11 chip are not affected, and A14 and later models appear to be secure against this exploit.
The Bug
The core issue lies in a hardware flaw within the Synopsys DWC2 USB controller. This controller manages incoming USB Setup packets via Direct Memory Access (DMA), buffering up to three packets before resetting its write pointer on the fourth by decrementing it by a fixed 24 bytes. It also accepts smaller-than-standard packets, which causes the pointer to increment only by the actual bytes written. This mismatch leads to a repeatable buffer underflow, allowing the write pointer to regress through memory in 12-byte increments.
The exploitability of this flaw on A12 and A13 devices is attributed to Apple’s configuration of the USB Device Address Resolution Table (DART) within SecureROM. On affected devices, DART operates in bypass mode, enabling the underflowing DMA pointer to access and overwrite arbitrary SRAM. The A11 chip is unaffected as its USB driver resets the DMA address after each packet, preventing the accumulation of mismatches. A14 and later models appear to have correctly configured DART, rendering the vulnerability unexploitable on newer hardware.
Achieving Code Execution
In the case of the A12, the DMA buffer is located adjacent to the USB task’s stack on the heap. By overwriting a saved link register, an attacker can gain control of the program counter during the next context switch.
The A13 presents a more complex challenge due to Pointer Authentication (PAC), which protects stack-stored return addresses. Researchers at Paradigm Shift circumvented this protection through a multi-stage approach. By corrupting DART-related heap structures, they created limited write primitives. They also manipulated the panic depth counter to force the chip into an error loop instead of rebooting. Precise timing of DMA writes was crucial to avoid overwriting the USB task’s saved registers.
The final step involved overwriting the USB interrupt handler pointer in the Block Storage Segment (BSS). The next USB interrupt would then execute attacker-supplied code, ultimately leading to execution at EL1, the chip’s privileged mode, within SecureROM.
Implications for Attackers
Once the exploit is executed, usbliter8 injects a custom USB request handler and modifies the device’s USB serial string to include PWND:[usbliter8]. This allows an attacker to temporarily alter the SoC’s production mode or boot an unsigned iBoot image without signature checks, effectively bypassing Apple’s chain of trust.
Importantly, the research does not indicate a compromise of the Secure Enclave, which is designed as a separate protection boundary, isolated from the application processor. However, Paradigm Shift cautions that control at the BootROM level may create new avenues for potential attacks against the Secure Enclave.
No Software Patch Available
The closest precedent to this exploit is checkm8, a 2019 SecureROM vulnerability that permanently affected devices from A5 to A11, placing them beyond Apple’s patch authority. Similar to checkm8, usbliter8 necessitates physical access and DFU mode, and cannot be resolved through firmware updates. This vulnerability extends the unpatchable condition to the next generation of chips.
As of June 19, 2026, no Common Vulnerabilities and Exposures (CVE), Common Vulnerability Scoring System (CVSS) score, Apple security advisory, or CISA alert has been issued, and there have been no publicly reported instances of in-the-wild exploitation.
For the majority of users, the practical risk remains low, as an attacker would need physical access to the device, the appropriate cable, and the expertise to force DFU mode. However, for high-security environments, this vulnerability presents a critical hardware-retirement and device-custody issue.
If a device is equipped with one of the affected chips, the physical security boundary is effectively eliminated; safety now hinges on controlling when and where the device is connected. Organizations should inventory A12, A13, S4, and S5 hardware utilized in sensitive roles, prioritize upgrades to A14 or newer models, and avoid DFU mode over untrusted USB connections.
The code for this exploit is publicly available, which often marks the transition from research demonstration to a tool for malicious actors.
Source: thehackernews.com
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
