Security researchers have published a new unpatchable SecureROM exploit for Apple's A12 and A13 chips, extending public BootROM exploitation beyond the devices affected by checkm8.

Security firm Paradigm Shift disclosed the unpatched exploit, called usbliter8, on June 18. It achieves code execution through a flaw in Apple's USB boot process.

The vulnerability affects devices powered by Apple's A12 and A13 chips, including the iPhone XS, iPhone XS Max, iPhone XR, and iPhone 11 lineup. Several iPad models and Apple Watch devices powered by S4 and S5 chips are affected as well.

  • 11-inch iPad Pro (1st generation)
  • 11-inch iPad Pro (2nd generation)
  • 12.9-inch iPad Pro (3rd generation)
  • 12.9-inch iPad Pro (4th generation)
  • Apple Watch Series 4
  • Apple Watch Series 5
  • iPad (8th generation)
  • iPad Air (3rd generation)
  • iPad mini (5th generation)
  • iPhone 11
  • iPhone 11 Pro
  • iPhone 11 Pro Max
  • iPhone SE (2nd generation)
  • iPhone XR
  • iPhone XS
  • iPhone XS Max

Usbliter8 combines a hardware flaw in a USB controller with the way security protections are configured on affected devices. The attack works through Device Firmware Update mode, better known as DFU mode.

Successful exploitation gives researchers control before iOS even starts loading. The exploit also enables boot-chain compromise and custom USB request handling.

The exploit can boot modified iPhone software that wouldn't normally be allowed to run. Paradigm Shift's reporting is serious because the vulnerability exists in SecureROM, the first code that runs when an iPhone starts up.

SecureROM verifies Apple's software before the rest of the operating system loads and serves as the foundation of the device's security model. Apple can patch flaws in iOS, iPadOS, and watchOS through software updates.

Diagram of USB communication showing token and data packets with labeled fields for sync, PID, address, endpoint, CRC, EOP, and an 8-byte USB device request received by the driverA proper Setup transaction consists of two packets sent by the host. Image credit: Paradigm Shift

The code is built into the chip itself and can't be replaced after manufacturing. Affected devices will remain vulnerable unless users replace them with newer hardware.

Usbliter8 doesn't affect A14 chips or newer generations because later versions of SecureROM appear to configure hardware protections differently. A11-based devices also avoided the vulnerability because their USB driver resets memory addresses in a way that prevents the attack.

Why the exploit matters

Apple's security architecture checks each stage of the startup process before handing control to the next one. A successful SecureROM exploit can bypass some of those checks and gain access at the earliest stage of device startup.

SecureROM code can't be updated after manufacturing, so access gained through usbliter8 can survive software updates, device restores, and firmware revisions. Persistent access at the SecureROM level separates usbliter8 from a typical software vulnerability.

The exploit doesn't give attackers unrestricted access to user data. Apple's Secure Enclave Processor remains separate from the vulnerability and provides an additional security boundary.

Dark diagram of a task structure memory layout showing labeled regions for task state, other registers, LR, SP, and a safe-to-overwrite area needed while a USB task is runningThe correct register values overwrite the ones the researchers corrupted. Image credit: Paradigm Shift

Usbliter8 doesn't directly compromise the Secure Enclave. The exploit could still expand the range of attacks available against other parts of Apple's platform.

The exploit also faces practical limitations. Researchers must have physical access to a device and use USB connectivity and DFU mode to carry out the attack.

A new chapter after checkm8

The disclosure draws comparisons to checkm8, the SecureROM exploit that affected Apple devices powered by A5 through A11 chips. Checkm8 became one of the most influential iPhone exploits because it targeted immutable BootROM code and can't be patched through software updates.

Like checkm8, usbliter8 targets the earliest stages of Apple's boot process. The exploit also can't be fully fixed through software updates.

Apple hasn't faced a public BootROM exploit affecting A12 and A13 devices since checkm8 targeted earlier hardware generations. Usbliter8 changes that with a working exploit for both chip families.

Much of the technical paper focuses on techniques used to bypass security protections on newer Apple hardware. Those efforts ultimately led to successful code execution on supported devices.

Public SecureROM exploits affecting A12 and A13 devices have been rare, making usbliter8 a notable addition to Apple's security history.

Paradigm Shift disclosed the findings to Apple Product Security before publication and coordinated the release with Apple. Apple hadn't publicly commented on the research at the time of publication.

How to stay safe

The practical risk from usbliter8 remains limited because the exploit requires physical access to a device and the use of DFU mode over USB. Most users are unlikely to encounter that threat model during normal use.

Installing security updates, using a strong passcode, and avoiding unattended devices won't patch the SecureROM vulnerability. The measures can still make it harder for an attacker to gain the physical access required to exploit usbliter8.

Users concerned about long-term exposure can reduce their risk by upgrading to hardware powered by Apple's A14 chip or newer. The exploit described in the research does not affect those devices.