Security researchers have detailed a new exploit, named ‘usbliter8,’ capable of executing arbitrary code within the SecureROM of Apple’s A12 and A13 processors. This vulnerability, discovered by Paradigm Shift, is burned into the silicon during manufacturing and cannot be fixed with software updates, meaning affected devices will carry the flaw for their operational lifespan.
Exploit Details and Affected Devices
The ‘usbliter8’ exploit is not a remote attack; it requires physical access to the target device. The device must be in Device Firmware Update (DFU) mode and connected via USB to a specialized microcontroller board. Once set up, the exploit completes in under two seconds, before Apple’s standard signed boot process loads.
The public proof of concept supports A12, A13, S4, and S5 System-on-Chips (SoCs). While support for A12X and A12Z is theoretically possible, it has not yet been implemented. Affected device families include the iPhone XS, XS Max, XR, 11, 11 Pro, 11 Pro Max, and SE (2nd generation). iPads such as the Air (3rd gen), mini (5th gen), and 8th gen are also impacted, as are Apple Watch Series 4 and 5, the first-generation Apple Watch SE, and the HomePod mini. Devices using the A11 chip are not affected, and the exploit path is currently out of reach for A14 and later chips.
Technical Underpinnings of the Vulnerability
The core of the issue lies in a hardware flaw within the Synopsys DWC2 USB controller. This controller utilizes Direct Memory Access (DMA) to store incoming USB Setup packets, buffering up to three before resetting its write pointer. A discrepancy arises because the controller accepts packets smaller than standard, incrementing the pointer by only the actual bytes written, while the reset mechanism decrements it by a fixed 24 bytes. This mismatch creates a repeatable buffer underflow, causing the write pointer to move backward through memory.
On A12 and A13 chips, this underflow becomes exploitable due to how Apple configures the USB Device Address Resolution Table (DART) within SecureROM. When operating in bypass mode, the underflowing DMA pointer can access and overwrite arbitrary Static Random-Access Memory (SRAM). Unlike the A11, which manually resets the DMA address after each packet, preventing accumulation, and newer A14+ chips which appear to configure DART correctly, the A12 and A13 are vulnerable.
Gaining Code Execution and Post-Exploitation Capabilities
On A12 chips, the DMA buffer is situated near the USB task’s stack, allowing an attacker to overwrite a saved link register and gain control of the program counter. Exploiting A13 is more complex due to Pointer Authentication (PAC) protecting return addresses. Researchers bypassed this by corrupting DART-related heap structures to create limited write capabilities, overwriting a panic depth counter to induce error loops instead of reboots, and carefully timing DMA writes to avoid corrupting saved registers. The final step involved overwriting the USB interrupt handler pointer, leading to the execution of attacker-supplied code upon the next USB interrupt. Both methods result in code execution at EL1, the chip’s privileged mode, within SecureROM.
Post-exploitation, ‘usbliter8’ injects a custom USB request handler and modifies the device’s USB serial string to indicate ‘PWND:[usbliter8]’. This grants attackers the ability to temporarily demote the SoC’s production mode or boot unsigned iBoot images, bypassing Apple’s security chain. The research does not indicate a compromise of the Secure Enclave, though researchers note that BootROM-level control might create new avenues for such attacks.
Implications and Mitigation
Similar to the 2019 checkm8 exploit, ‘usbliter8’ requires physical access and DFU mode, rendering it unpatchable via firmware updates. The practical risk for average users is considered low due to the prerequisites of physical access and specific technical knowledge. However, for high-security environments, this presents a hardware retirement and device custody challenge. Apple devices running A12, A13, S4, and S5 chips with this vulnerability are permanently exposed at the hardware level. Mitigation strategies include controlling when and where devices are connected to USB, refreshing sensitive hardware to A14 or newer models, and avoiding DFU mode over untrusted connections.
Norman Pearlstine is the Chief Editor of News Raise and focuses on Business news. His responsibility is to oversee the editorial content including business, commodities, personal investments and the stock market.
