The Hardware Vulnerability
Security researchers at Paradigm Shift have released a working exploit named usbliter8 that achieves arbitrary code execution within the SecureROM of Apple A12 and A13 chips. SecureROM is code written directly into the silicon during manufacturing, meaning no software update can ever patch it. Devices with these chips will carry this vulnerability permanently.
The exploit requires physical possession of the device in DFU mode, connected via USB to a specialized RP2350 microcontroller board. Once connected, the attack completes in under two seconds, before Apple’s signed boot chain loads. The technical details and proof of concept code were made public on June 18, 2026, after coordinated disclosure with Apple Product Security.
Impacted Devices and Root Cause
Affected chips include A12, A13, S4, and S5 SoCs, with theoretical support for A12X and A12Z. Device families in this range include iPhone XS, XR, 11 series, iPad Air 3rd gen, iPad mini 5th gen, Apple Watch Series 4 and 5, and HomePod mini. A11 chips and A14 or newer chips are not affected.
The underlying hardware flaw exists in the Synopsys DWC2 USB controller. It stores incoming USB Setup packets via DMA, buffering up to three before resetting its write pointer incorrectly on the fourth packet. This creates a buffer underflow condition. On A12 and A13 chips, Apple configures the USB DART IOMMU in bypass mode within SecureROM, allowing the underflowing DMA pointer to overwrite arbitrary SRAM memory. A11 chips avoid the issue because their USB driver resets the DMA address after every packet. A14 and newer chips configure DART correctly, making the exploit infeasible.
What Attackers Can Achieve
After successful exploitation, usbliter8 injects a custom USB request handler and marks the device with a PWND string in its USB serial descriptor. Attackers can then temporarily demote the SoC production mode or boot raw unsigned iBoot images, completely bypassing Apple’s chain of trust. The exploit grants execution at EL1, the chip’s privileged mode inside SecureROM.
The research does not demonstrate Secure Enclave compromise, but warns that BootROM level control could open new attack paths against it. Like the 2019 checkm8 exploit, usbliter8 cannot be fixed through firmware updates. For most users, the practical risk remains low since it requires physical device access. However, for high security environments, this represents a hardware retirement and device custody problem. Any device with affected chips permanently loses its physical security boundary, and protection now depends entirely on controlling when and where devices can be connected via USB.
Source: The Hacker News
