A new BootROM vulnerability has been discovered affecting Apple’s A12 and A13 chips, with a working proof-of-concept exploit called “usbliter8” now publicly detailed. This exploit targets the SecureROM, the initial code run by an iPhone upon startup, which cannot be patched through software updates. As a result, affected devices will remain susceptible throughout their lifespan.
The exploit takes advantage of a flaw in the USB controller of Apple’s chips. By sending a specific sequence of small packets during startup, attackers can manipulate a hardware pointer, enabling unauthorized data writing in memory. This issue appears to stem from the hardware of the USB controller rather than Apple’s software.
Devices using the A11 chip, such as the iPhone X, are unaffected due to a manual pointer reset function in their USB driver. Chips from the A14 generation onward are also secure, thanks to correctly configured memory protection at the BootROM level. However, the A12 and A13 chips are vulnerable, with the latter posing more challenges due to a security feature called Pointer Authentication Codes (PAC), which complicates memory tampering.
Once the exploit gains control, it installs a custom handler that persists through device restarts, allowing for the temporary lowering of security settings and the booting of unsigned software. It also injects the “PWND” string into the iPhone’s USB serial number to indicate compromise, a nod to previous exploits like “checkm8.”
While the Secure Enclave remains directly unaffected, this type of BootROM compromise creates opportunities for further attacks. The findings were reported to Apple Product Security, and the exploit details have been published for public review.
