usbliter8 exploit exposes unpatchable SecureROM flaw in Apple A12 and A13 chips via USB attack chain

Security researchers at Paradigm Shift have released a working exploit called ‘usbliter8’ that achieves arbitrary code execution within the SecureROM of Apple’s A12 and A13 chips. Because SecureROM is physically etched into silicon at manufacturing time, the flaw cannot be patched through software updates, meaning affected devices will remain vulnerable for their entire lifespan.

The attack is not remote and requires physical access to the device. An attacker must place the target iPhone or Apple device into DFU mode and connect it to a specialized USB setup using an RP2350-based microcontroller. Once connected, the exploit executes in under two seconds, taking control before Apple’s signed boot chain can fully initialize.

The vulnerability stems from a hardware-level issue in the Synopsys DWC2 USB controller used in these chipsets. A mismatch in how DMA buffers handle USB Setup packets leads to a predictable buffer underflow, allowing the write pointer to drift backward through memory. On A12 and A13 devices, this becomes exploitable due to SecureROM’s USB DART configuration, which allows DMA operations to reach and overwrite protected SRAM.

Researchers demonstrated different exploitation paths depending on the chip. On A12, overwriting adjacent stack memory enables direct control of execution flow via a corrupted return address. On A13, Apple’s Pointer Authentication Code (PAC) protections require a more complex multi-stage approach involving heap corruption, error-loop manipulation, and eventually overwriting USB interrupt handlers to achieve code execution in privileged SecureROM mode. Once successful, the exploit can load unsigned boot images or modify boot behavior, effectively breaking Apple’s chain of trust at the hardware level.

Although Secure Enclave compromise has not been demonstrated, researchers warn that BootROM-level control could open indirect attack paths against it. As with earlier exploits like checkm8, mitigation is impossible via firmware updates; risk is reduced only through hardware retirement and strict physical access controls. The exploit is now public, raising concerns that it could be adopted beyond the research

usbliter8 exploit exposes unpatchable SecureROM flaw in Apple A12 and A13 chips via USB attack chain

Researchers have demonstrated “usbliter8,” a physical-access exploit that achieves code execution in Apple SecureROM on A12 and A13 devices, bypassing the boot chain with no software patch possible.

Trending

Microsoft attributes Mastra AI npm supply chain attack to North Korean hacking group Sapphire Sleet

Prinz Eugen ransomware targets fresh files first and skips ransom notes in stealthy new campaign

Gravity SMTP WordPress flaw actively exploited to leak API keys and site data

INTERPOL reports sharp surge in cybercrime across Asia-Pacific driven by AI scams and ransomware

Microsoft patches AutoGen Studio flaw that could allow arbitrary code execution

Related Stories

APT Groups Exploit Gaming Platforms and Debug APIs in Multi Vector Cyber Campaigns

New SHub Malware Variant Exploits Fake Google Update on macOS

Threat Actors Weaponize Trusted Cloud Service to Steal Data from Malaysian Agencies

Cisco SD-WAN Auth Bypass Under Active Attack as CISA Sets Remediation Deadline