Security research firm Paradigm Shift published a working exploit this week that breaks into Apple devices at the hardware boot level through a BootROM flaw that Apple could not patch in existing silicon, according to the researchers. Named usbliter8, it is the first public unpatchable iPhone exploit targeting A12 and A13 chips since checkm8 exposed earlier hardware in 2019.
The flaw lives in SecureROM, the first code a device runs at power-on, physically embedded in silicon at manufacture. Because it cannot be reached by any software update, any device successfully exploited stays compromised through iOS updates, restores, and reboots for the life of the hardware. The constraint that limits its practical danger: exploitation requires physical possession of the device, a USB cable, and manual entry into DFU mode. This is not a remote attack.
Apple A12, A13 BootROM vulnerability: which devices are affected
The headline chip families are A12 and A13, but the actual scope runs wider. Four chip families are confirmed vulnerable: A12 and A13, found in iPhones and iPads, plus S4 and S5, found in Apple Watch and HomePod mini.
The full device list:
A12: iPhone XR, iPhone XS/XS Max, iPad Air 3, iPad mini 5, iPad 8, second-generation Apple TV 4K
A13: iPhone 11/11 Pro/11 Pro Max, second-generation iPhone SE, iPad 9, Studio Display
S4: Apple Watch Series 4
S5: Apple Watch Series 5, first-generation Apple Watch SE, HomePod mini
Paradigm Shift notes that technical support for A12X and A12Z chips, used in several iPad Pro models, could be achievable but is not currently implemented. A theoretical possibility and a working exploit are not the same thing.
The breadth of this hardware footprint is what lifts usbliter8 beyond a niche jailbreaking story. These are devices still running current iOS, still in daily circulation, and now permanently carrying a flaw that Apple cannot address through any software channel.
What a successful attack actually delivers
The attack works by sending specially crafted USB packets to a device in DFU mode, confusing the USB controller into writing data to the wrong part of memory. More precisely, Paradigm Shift's technical writeup identifies the root cause as USB DART operating in bypass mode on A12 and A13, leaving the chip's SRAM freely overwritable. The attack walks a hardware pointer backward through memory into regions it should never reach.
Once an attacker gains that foothold, they control the device before iOS begins loading. From there, they can bypass Apple's code-signing checks, boot modified system software, and install a persistent handler that survives restarts. The exploit also injects the traditional "PWND" string into the device's USB serial number as a signal of compromise, a convention carried over from checkm8, per MacRumors.
The Secure Enclave is a different matter. usbliter8 does not directly breach it, which means passcodes and encrypted user data remain protected. A BootROM-level compromise is not an instant data dump. Paradigm Shift does note, though, that a compromise of this depth could open broader attack paths toward the Secure Enclave even without breaching it directly. What that looks like in demonstrated practice has not been published.
One framing point worth making explicit: the persistence here applies after a successful physical exploitation event. A device sitting in a pocket, unpowered or in normal use, is not spontaneously compromised by this disclosure. Physical access, a USB connection, and DFU mode are all required before anything else happens.
Why A12 and A13 are vulnerable when their neighbors are not
The vulnerability is a hardware bug in the USB controller, not a software misconfiguration that Apple can update away. During SecureROM execution, A12 and A13 devices run with USB DART configured in bypass mode, which leaves SRAM freely overwritable, Paradigm Shift reported. The attack exploits that opening with a sequence of precisely sized packets.
A11 escapes because its USB driver manually resets the relevant memory pointer after each packet, closing the attack path at the software level, per Paradigm Shift. A14 and later chips configure DART correctly at the BootROM level from the start, making the vulnerability unexploitable. A12 and A13 sit in the gap between those two approaches, having lost the A11 workaround without yet carrying the A14 fix.
A13 adds a complication. Apple introduced Pointer Authentication Codes on that chip, a security feature designed to detect and block memory tampering. On A12, code execution is relatively straightforward to achieve. On A13, Paradigm Shift required a multi-stage corruption process: corrupting several memory regions in sequence until the researchers controlled the USB interrupt handler. PAC raised the difficulty considerably; it did not prevent compromise.
As Paradigm Shift put it, usbliter8 demonstrates that even SecureROM generations protected by Pointer Authentication can be broken through subtle hardware bugs. Affected A12 and A13 devices will carry that exposure for the remainder of their lifetimes.
What users on affected hardware should do
No software fix is coming. Installing the latest iOS update, setting a strong passcode, and keeping a device in hand won't touch the SecureROM flaw. Those practices still matter for other threats. They cannot reach a vulnerability baked into silicon.
Paradigm Shift states directly that migrating to A14 or newer hardware is the most effective mitigation for users concerned about long-term exposure. Apple had not publicly commented on the research as of publication; Paradigm Shift says it reported its findings to Apple Product Security and completed coordinated disclosure before going public.
The practical calculus differs by who's asking. For most users, the physical access requirement keeps real-world risk bounded. Keep the device on your person and be selective about where you send it for repair. For journalists, activists, executives, or anyone whose device might be physically seized, the threat model is different. A confiscated affected device could be subjected to a persistent boot-level compromise that no future iOS update reverses. For that group, a hardware upgrade to A14 or newer is worth treating as a near-term priority.
The proof-of-concept code is already public, and it gathered over 280 GitHub stars within hours of publication. Jailbreak tooling will follow quickly. The more significant long-term question for the security research community is whether usbliter8 develops into a hardware-level forensic pipeline comparable to what checkm8 became for A11 and earlier devices. That trajectory took years with checkm8, and no equivalent capability for A12 and A13 has been demonstrated yet.
Comments
Be the first, drop a comment!