Researchers Discover 'usbliter8' Exploit That Permanently Affects Millions of Older iPhones
The researchers note that affected users cannot fully mitigate the vulnerability through operating system updates.
;'%3e%3cpath%20d='m8,15.99c4.41,0,7.99-3.58,7.99-7.99S12.41,0,8,0,0,3.59,0,8s3.58,7.99,7.99,7.99Z'%20style='stroke:%23fff;%20stroke-miterlimit:10;%20stroke-width:.02px;'/%3e%3cpath%20d='m3.08,3.37l3.82,5.11-3.84,4.15h.87l3.37-3.64,2.72,3.64h2.94l-4.04-5.39,3.58-3.87h-.86l-3.1,3.35-2.5-3.35h-2.94Zm1.27.64h1.35l5.97,7.99h-1.35l-5.97-7.99Z'%20style='fill:%23fff;'/%3e%3c/g%3e%3c/svg%3e){kind=small}
A team of security researchers has unveiled a new BootROM exploit called usbliter8, exposing a hardware-level vulnerability in Apple's A12 and A13 chipsets that cannot be patched through software updates.
The exploit targets Apple's SecureROM, the immutable code that runs when an iPhone boots up. Because SecureROM is burned into the chip during manufacturing, vulnerabilities discovered at this level remain present for the lifetime of affected devices. The researchers say the exploit affects devices powered by Apple's A12 and A13 processors, including several older iPhone, iPad, and Apple Watch models.
The team has also released a proof-of-concept exploit, arguing that the research demonstrates how even relatively modern Apple chips remain vulnerable to subtle hardware flaws.
What Is usbliter8?
According to the researchers, usbliter8 exploits a flaw in the Synopsys DesignWare USB controller used by Apple devices. The vulnerability stems from the way the controller handles USB setup packets and Direct Memory Access (DMA) operations. Under specific conditions, an attacker can trigger a buffer underflow that allows memory corruption within SecureROM.
Advertisement
The researchers found that Apple's A12 and A13 SecureROM implementations are vulnerable, while older A11 devices and newer A14-generation hardware are not exploitable in the same way. On newer devices, Apple appears to have configured additional memory protection mechanisms that prevent the attack from succeeding.
Full Boot Chain Compromise
The significance of the exploit lies in what happens after the initial compromise.
Advertisement
The researchers demonstrated the ability to gain control of program execution within SecureROM, bypass security mitigations, and ultimately compromise the device's boot chain. On A12 devices, this involves overwriting return addresses to gain control of execution, while A13 devices require additional techniques to bypass Pointer Authentication Code (PAC) protections introduced by Apple.
Once successful, the exploit allows attackers to inject custom code, modify boot behaviour, and introduce their own USB request handlers into Device Firmware Update (DFU) mode. The researchers also demonstrated the ability to boot unsigned versions of iBoot and temporarily lower production-mode restrictions on affected devices.
Apple Can't Patch It With an Update
Unlike conventional security vulnerabilities, BootROM flaws are particularly serious because they exist in hardware rather than software. The researchers note that affected users cannot fully mitigate the vulnerability through operating system updates. Instead, the only complete solution is moving to newer hardware that is not susceptible to the underlying flaw.
That said, the exploit requires physical access and specialised knowledge, meaning it is unlikely to pose a practical threat to most consumers.
SEP Remains a Separate Security Barrier
The team behind usbliter8 emphasised that the exploit does not directly compromise Apple's Secure Enclave Processor (SEP), which stores sensitive information such as encryption keys and biometric data. However, they warned that compromising SecureROM can create broader attack opportunities that may eventually be leveraged against other security mechanisms.
The researchers also disclosed the vulnerability to Apple before publication and coordinated the release with the company's security team.
Why This Matters
BootROM exploits are rare in the Apple ecosystem because they target the earliest stage of a device's startup process. Previous exploits such as checkm8 became foundational tools for the jailbreaking and security research communities because they could not be patched on affected hardware.
The researchers say usbliter8 serves as a reminder that even modern SecureROM implementations remain vulnerable to carefully crafted attacks. Their findings show that hardware security is not infallible and that subtle flaws in low-level components can have consequences that persist for the entire lifespan of a device.
For owners of affected devices, there is no immediate reason to panic. But for Apple, the discovery underscores a challenge every chipmaker faces: software bugs can be fixed with an update, whereas hardware mistakes tend to stay around for much longer.
