Security research firm Paradigm Shift today published details of a new BootROM vulnerability affecting Apple's A12 and A13 chips, along with a working proof-of-concept exploit named "usbliter8."
The BootROM, or SecureROM, is the first code an iPhone runs when it powers on. Because it is baked directly into the chip at manufacture, any vulnerability found there cannot be fixed with a software update, meaning affected devices will remain vulnerable for the rest of their lives.
The last publicly known BootROM exploit of this kind was "checkm8," released in 2019 which affected devices from the iPhone 4S through to the iPhone X. usbliter8 now extends that history to the next generation of chips, covering the iPhone XS through to the iPhone 11 series.
The exploit works by taking advantage of a bug in the USB controller built into Apple's chips. When an iPhone receives USB data during startup, the controller uses a memory buffer to store incoming packets. Paradigm Shift found that by sending a specific sequence of unusually small packets, they could manipulate an internal hardware pointer in a way that causes it to walk backwards through memory, allowing data to be written to locations it should never reach. The researchers say this appears to be a bug in the USB controller hardware itself, not in Apple's software.
The A11 chip, used in the iPhone X, is not affected because its USB driver manually resets the pointer after each packet. A14 and later chips are also safe, as they configure a memory protection feature correctly at the BootROM level. The A12 and A13 sit in a vulnerable middle ground between the two.
On A12 devices, gaining code execution is relatively straightforward. On A13 devices, things are considerably harder because Apple introduced a security feature called Pointer Authentication Codes (PAC), which detects and blocks certain types of memory tampering. Paradigm Shift says working around PAC on the A13 required a lengthy multi-step process before the researchers could finally take control of the processor.
Once in control, the exploit installs a custom handler that survives a device restart and adds two capabilities: temporarily lowering the device's security settings, and booting unsigned software without any verification checks. It also injects the traditional "PWND" string into the iPhone's USB serial number as a signal that the device has been compromised, a convention that carries over from checkm8 and earlier exploits.
Paradigm Shift notes that while usbliter8 does not affect the Secure Enclave directly, a BootROM compromise of this kind opens up wider avenues for attacking it. The firm says it reported its findings to Apple Product Security before publication and worked with Apple on coordinated disclosure. The full proof-of-concept code has been published alongside the write-up at ps.tc.
