Full Report
Security researchers at Paradigm Shift have published a working exploit, dubbed usbliter8, that achieves arbitrary code execution inside the SecureROM of Apple's A12 and A13 chips. That code is burned into the silicon at manufacture. No software update can reach it. Affected devices will carry this flaw for as long as they stay in use. This is not a remote attack. It requires
Analysis Summary
This summary details the "usbliter8" vulnerability, a critical hardware flaw impacting the SecureROM of specific Apple silicon.
# Vulnerability: usbliter8 (SecureROM Arbitrary Code Execution)
## CVE Details
- **CVE ID**: Not specified in the article (Commonly assigned by Apple post-disclosure).
- **CVSS Score**: N/A (The vulnerability is critical due to its unpatchable nature and persistence).
- **CWE**: CWE-120 (Buffer Copy without Checking Size of Input), CWE-787 (Out-of-bounds Write).
## Affected Systems
- **Products**: Apple SoCs (A12, A13, S4, S5).
- **Versions**: All iOS/iPadOS versions running on these chips (Immutable hardware flaw).
- **Configurations**:
- iPhone XS, XS Max, XR; iPhone 11, 11 Pro, 11 Pro Max; iPhone SE (2nd gen).
- iPad Air (3rd gen), iPad mini (5th gen), iPad (8th gen).
- Apple Watch Series 4, 5, and SE (1st gen).
- HomePod mini.
## Vulnerability Description
The flaw resides in the Synopsys DWC2 USB controller’s DMA (Direct Memory Access) handling. The controller buffers USB Setup packets and implements a logic error where it resets the write pointer by a fixed 24 bytes after every fourth packet, whereas actual bytes written may be fewer. This mismatch causes a repeatable buffer underflow, allowing the write pointer to step backward into unauthorized memory.
On A12 and A13 chips, the USB DART (IOMMU) is configured in bypass mode during the SecureROM phase, failing to restrict DMA writes. This allow attackers to overwrite the heap, stack (A12), or interrupt handlers in BSS (A13) to gain arbitrary code execution at EL1.
## Exploitation
- **Status**: Proof of Concept (PoC) available publicly; exploited in laboratory settings.
- **Complexity**: High (Requires specialized hardware and precise timing).
- **Attack Vector**: Physical (Requires DFU mode and connection via a specific RP2350-based microcontroller).
## Impact
- **Confidentiality**: High (Access to encrypted data/UID keys possible).
- **Integrity**: High (Ability to boot unsigned images and demote production mode).
- **Availability**: High (Device can be rendered inoperable or force-rebooted).
## Remediation
### Patches
- **None**: This is a hardware-level vulnerability ("Mask ROM") burned into the silicon. No software update can patch the SecureROM code. Apple addressed this in later hardware (A14 and newer) by correctly configuring DART.
### Workarounds
- **Physical Security**: Since the exploit requires physical access and DFU mode, maintaining strict physical control of the device is the only primary mitigation for end-users.
## Detection
- **Indicators of Compromise**:
- Modification of the USB serial string (e.g., contains `PWND:[usbliter8]`).
- Unexpected device behavior during boot (custom boot logos or unsigned firmware).
- **Detection Methods**: Monitoring the USB descriptor information while the device is in DFU mode.
## References
- Paradigm Shift Technical Write-up: \[ps[.]tc/pages/blog-usbliter8[.]html\]
- Proof of Concept Repository: \[github[.]com/prdgmshift/usbliter8\]
- Original News Report: \[thehackernews[.]com/2026/06/unpatchable-usbliter8-exploit-breaks[.]html\]