Full Report
Owners of affected iPhones can stop checking for patches now: the fix for this SecureROM bug comes in a new handset
Analysis Summary
# Vulnerability: usbliter8 BootROM Exploit (A12/A13)
## CVE Details
- **CVE ID**: Not explicitly assigned in the provided text (Commonly associated with proprietary hardware flaws during initial disclosure).
- **CVSS Score**: Estimated 6.8 (Medium/High)
- **CWE**: CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) / CWE-1219 (Hardware Design Issues)
## Affected Systems
- **Products**: Apple mobile devices (iPhones, iPads) using specific SoCs.
- **Versions**: Devices powered by Apple A12 Bionic and A13 Bionic chips.
- **Configurations**:
- iPhone XS, XS Max, XR
- iPhone 11, 11 Pro, 11 Pro Max
- Relevant iPad models using A12/A13 chips.
- The device must be placed in **Device Firmware Update (DFU) mode**.
## Vulnerability Description
The "usbliter8" vulnerability is a hardware-level flaw residing in the **SecureROM** (BootROM) of A12 and A13 chips. The issue stems from the integration of the Synopsys DesignWare USB controller and how it processes USB setup packets.
During the DFU process, a flaw in the hardware's handling of these packets enables memory corruption. Because SecureROM is the first code executed by the processor and is stored in read-only memory (ROM) burned into the silicon, this vulnerability exists at the lowest level of the hardware's "Root of Trust."
## Exploitation
- **Status**: PoC available (developed by Paradigm Shift researchers).
- **Complexity**: High (Requires specialized hardware/software tools to interface via USB in DFU mode).
- **Attack Vector**: Physical (Requires direct access to the device's lightning/USB port).
## Impact
- **Confidentiality**: Medium (Enables loading of custom firmware; however, Secure Enclave data remains protected).
- **Integrity**: High (Allows bypassing signature checks for iBoot and running unsigned code).
- **Availability**: Medium (Can be used to modify or disrupt the standard boot process).
## Remediation
### Patches
- **Hardware Replacement**: There is **no software patch** available for this vulnerability. The code is immutable.
- **Newer Hardware**: Apple A14 Bionic and subsequent chips (iPhone 12 and newer) are not affected, as the underlying hardware conditions were corrected in those silicon revisions.
### Workarounds
- **Physical Security**: Since the exploit requires physical access to the USB port, maintaining strict physical control of the device is the primary defense.
- **Encryption**: Robust passcodes continue to protect user data via the Secure Enclave, which is not directly compromised by this specific BootROM flaw.
## Detection
- **Indicators of Compromise**:
- Devices displaying a "PWND" string during the boot sequence.
- Presence of non-standard or unsigned iBoot images.
- **Detection Methods**: Monitoring for unauthorized physical tethering to specialized forensic or jailbreaking workstations.
## References
- **Researcher Blog**: hxxps[://]ps[.]tc/pages/blog-usbliter8[.]html
- **Vendor**: Apple (No formal public advisory issued at time of report).
- **Publication**: The Register hxxps[://]www[.]theregister[.]com/ (Search for A12/A13 SecureROM)