← Back to Daily Briefing

A critical hardware-level vulnerability in the Apple SecureROM (BootROM) enables privileged execution on A12 and A13 chipsets via the 'usbliter8' exploit. The flaw stems from a design weakness in the Synopsys DesignWare USB 2 (DWC2) controller, where a mismatch between DMA pointer increments and resets during USB Setup transactions triggers a buffer underflow. Attackers can bypass Pointer Authentication Codes (PAC) on A13 devices using heap corruption and interrupt handler manipulation to achieve EL1 privileged execution in Device Firmware Update (DFU) mode. Because the vulnerability exists in the immutable BootROM, it is unpatchable via software updates, requiring hardware replacement for full remediation.

  • Research Overview: usbliter8 Exploit

    • Discovery of 'usbliter8' targeting the immutable SecureROM during the early boot process.
    • Focuses on a fundamental design flaw in the interaction between USB controllers and system memory.
    • Specifically targets devices placed in Device Firmware Update (DFU) mode via physical USB access.
  • Vulnerability Mechanics: DMA & Buffer Underflow

    • Root cause resides in the Synopsys DesignWare USB 2 (DWC2) controller used in Apple silicon.
    • Exploitation involves manipulating the DOEPDMA register to create a DMA pointer reset/mismatch.
    • This mismatch triggers a controlled 12-byte buffer underflow during USB Setup transactions.
  • Exploitation Path: PAC Bypass and Execution

    • Utilizes a Return-Oriented Programming (ROP) chain to redirect execution flow.
    • Bypasses A13 Pointer Authentication Codes (PAC) through strategic heap corruption and interrupt handler manipulation.
    • Achieves EL1 privileged execution, granting the attacker the ability to modify the Memory Management Unit (MMU).
  • Impact and Affected Hardware

    • Affected Processors: Apple A12 and A13 chipsets (found in multiple iPhone generations).
    • Affected Wearables: Apple Watch S4 and S5 chipsets.
    • Mitigated Platforms: A14 and newer processors are not vulnerable due to corrected DART (DMA Remapping) configurations.
  • Mitigation and Remediation

    • Software remediation is impossible because the flaw exists in the immutable SecureROM code.
    • Definitive mitigation requires hardware upgrades to A14-based devices or newer.
    • High-security environments should prioritize the decommissioning of A12/A13 legacy hardware.

Related posts

  1. gbhackers.com — iPhone BootROM Vulnerability Opens Door to Full Apple SoC Trust Chain Compromise
  2. thecyberexpress.com — New iPhone BootROM Flaw Enables Hardware-Level Compromise
  3. cyberinsider.com — Unpatchable BootROM exploit for Apple A12-A13 chips now public
  4. feeds.feedburner.com — Unpatchable 'usbliter8' Exploit Breaks Apple A12 and A13 SecureROM Boot Chain
  5. cybersecurity.pk — Unpatchable ‘usbliter8’ Exploit Breaks Apple A12 and A13 SecureROM Boot Chain
  6. Redsecuretech
  7. Cyberpress
  8. Cybersecuritynews
  9. Idropnews
  10. Healsecurity
  11. Ground
  12. Mallory
  13. techjacksolutions.com — usbliter8: Unpatchable SecureROM Exploit Targets A12/A13 Apple Silicon via USB DMA Buffer Underflow
  14. Security Affairs — usbliter8 Brings Unpatchable BootROM Exploit to Apple A12 and A13 Devices
  15. blackhatnews.tokyo
  16. Expert In the Cloud — New iPhone BootROM Vulnerability Exposes Apple
  17. News4Hackers — Apple Exploit Bypasses Boot Defenses, Impacts Millions of iPhones

LINK COPIED TO CLIPBOARD