European cybersecurity firm Paradigm Shift has unveiled a critical vulnerability dubbed Usbliter8, which targets Apple’s BootROM. This exploit affects millions of iPhones and is immune to software patches, posing a significant risk to devices.
Understanding the Usbliter8 Exploit
Usbliter8 specifically attacks the SecureROM, an integral part of the iPhone’s System on Chip (SoC) that initializes during startup. This exploit combines a flaw in the USB controller with a device firmware configuration weakness. It requires physical access to the device via USB, affecting iPhones with A12 and A13 chips, such as the iPhone XS, XR, and 11, as well as Apple Watches with S4 and S5 chips, all released in 2018 and 2019.
The attack mechanism involves connecting a specialized USB device, like a Raspberry Pi Pico 2, to the target iPhone. By sending crafted USB setup packets, the attacker can trigger an out-of-bounds write operation, allowing them to overwrite crucial memory data, thereby gaining control over the processor and executing arbitrary code at the system level.
Potential Impact and Security Implications
Despite bypassing Apple’s signature checks and enabling full code execution before the operating system loads, Usbliter8 does not grant direct access to user data. Apple’s Secure Enclave Processor (SEP), responsible for protecting user data, remains unaffected. However, the exploit opens up possibilities for broader attacks on the Secure Enclave.
While remote attacks are not feasible with Usbliter8, its potential utility for forensic vendors is noteworthy. The exploit’s impact is akin to Checkm8, a 2019 BootROM vulnerability that left many iPhones vulnerable to jailbreaks.
Apple’s Response and Future Outlook
Paradigm Shift reported the exploit to Apple ahead of public disclosure, but the tech giant has yet to issue a public statement. SecurityWeek is awaiting further comments from Apple on the matter. Meanwhile, Paradigm Shift has released proof-of-concept (PoC) code to highlight the practical implications of such hardware vulnerabilities and to enhance understanding of modern BootROM security challenges.
The release of this research underscores a continuing challenge for Apple in securing even the latest generations of SecureROM against hardware-based exploits. As the tech industry watches closely, the company will need to address these vulnerabilities to maintain the integrity of its devices.
