Security research firm Paradigm Shift today published details of a new BootROM vulnerability affecting Apple’s A12 and A13 chips, as well as a proof-of-concept exploit called “usbliter8.”
BootROM, or SecureROM, is the first code that the iPhone uses when it turns on. Because it’s baked right into the chip at manufacture, any vulnerability found there can’t be fixed with a software update, meaning affected devices will remain vulnerable for life.
The last publicly known BootROM exploit of this type was “checkm8,” released in 2019 that affected devices from the iPhone 4S to the iPhone X. usbliter8 now extends that history to the next generation of chips, including the iPhone XS to the iPhone 11 series.
The exploit works by taking advantage of a bug in the USB controller built into Apple’s chips. When the iPhone receives USB data during startup, the controller uses a memory buffer to store incoming packets. Paradigm Shift discovered that by sending a special sequence of unusually small packets, it could manipulate the internal hardware pointer in a way that causes it to move backwards in memory, allowing data to be written to places it shouldn’t be able to access. The researchers say this appears to be a bug in the USB controller hardware itself, not in Apple’s software.
The A11 chip, used in the iPhone X, is unaffected because its USB driver resets the pointer after each packet. A14 and later chips are also safe, as they configure the memory protection feature correctly at the BootROM level. The A12 and A13 sit in a dangerous middle ground between the two.
For A12 devices, finding code usage is straightforward. For A13 devices, things are more difficult because Apple has introduced a security feature called Pointer Verification Codes (PAC), which detects and blocks certain types of memory tampering. Paradigm Shift says that working around the PAC on the A13 requires a long, multi-step process before researchers can gain control of the processor.
Once in control, the exploit is installed with a custom handler that survives device reboots and adds two capabilities: temporarily lowering the device’s security settings, and running unsigned software without authentication checks. It also injects the traditional “PWND” string into the iPhone USB serial number as a sign that the device has been compromised, a convention that continues from checkm8 and previous exploits.
Paradigm Shift notes that while usbliter8 does not compromise Secure Enclave directly, a BootROM compromise of this nature opens up wider avenues of attack. The company says it reported its findings to Apple Product Security before publication and worked with Apple on systematic disclosure. The full proof-of-concept code is published along with the documentation on ps.tc.