A critical hardware-level vulnerability in the Apple SecureROM (BootROM) enables privileged execution on A12 and A13 chipsets via the 'usbliter8' exploit. The flaw stems from a design weakness in the Synopsys DesignWare USB 2 (DWC2) controller, where a mismatch between DMA pointer increments and resets during USB Setup transactions triggers a buffer underflow. Attackers can bypass Pointer Authentication Codes (PAC) on A13 devices using heap corruption and interrupt handler manipulation to achieve EL1 privileged execution in Device Firmware Update (DFU) mode. Because the vulnerability exists in the immutable BootROM, it is unpatchable via software updates, requiring hardware replacement for full remediation.
-
Research Overview: usbliter8 Exploit
- Discovery of 'usbliter8' targeting the immutable SecureROM during the early boot process.
- Focuses on a fundamental design flaw in the interaction between USB controllers and system memory.
- Specifically targets devices placed in Device Firmware Update (DFU) mode via physical USB access.
-
Vulnerability Mechanics: DMA & Buffer Underflow
- Root cause resides in the Synopsys DesignWare USB 2 (DWC2) controller used in Apple silicon.
- Exploitation involves manipulating the DOEPDMA register to create a DMA pointer reset/mismatch.
- This mismatch triggers a controlled 12-byte buffer underflow during USB Setup transactions.
-
Exploitation Path: PAC Bypass and Execution
- Utilizes a Return-Oriented Programming (ROP) chain to redirect execution flow.
- Bypasses A13 Pointer Authentication Codes (PAC) through strategic heap corruption and interrupt handler manipulation.
- Achieves EL1 privileged execution, granting the attacker the ability to modify the Memory Management Unit (MMU).
-
Impact and Affected Hardware
- Affected Processors: Apple A12 and A13 chipsets (found in multiple iPhone generations).
- Affected Wearables: Apple Watch S4 and S5 chipsets.
- Mitigated Platforms: A14 and newer processors are not vulnerable due to corrected DART (DMA Remapping) configurations.
-
Mitigation and Remediation
- Software remediation is impossible because the flaw exists in the immutable SecureROM code.
- Definitive mitigation requires hardware upgrades to A14-based devices or newer.
- High-security environments should prioritize the decommissioning of A12/A13 legacy hardware.
Related posts
- gbhackers.com — iPhone BootROM Vulnerability Opens Door to Full Apple SoC Trust Chain Compromise
- thecyberexpress.com — New iPhone BootROM Flaw Enables Hardware-Level Compromise
- cyberinsider.com — Unpatchable BootROM exploit for Apple A12-A13 chips now public
- feeds.feedburner.com — Unpatchable 'usbliter8' Exploit Breaks Apple A12 and A13 SecureROM Boot Chain
- cybersecurity.pk — Unpatchable ‘usbliter8’ Exploit Breaks Apple A12 and A13 SecureROM Boot Chain
- Redsecuretech
- Cyberpress
- Cybersecuritynews
- Idropnews
- Healsecurity
- Ground
- Mallory
- techjacksolutions.com — usbliter8: Unpatchable SecureROM Exploit Targets A12/A13 Apple Silicon via USB DMA Buffer Underflow
- Security Affairs — usbliter8 Brings Unpatchable BootROM Exploit to Apple A12 and A13 Devices
- blackhatnews.tokyo
- Expert In the Cloud — New iPhone BootROM Vulnerability Exposes Apple
- News4Hackers — Apple Exploit Bypasses Boot Defenses, Impacts Millions of iPhones