Security researchers have unveiled ‘usbliter8,’ a new unpatchable vulnerability affecting Apple devices equipped with A12 and A13 chips. This exploit enables arbitrary code execution during the device’s boot process, posing significant security concerns for a range of Apple products.
The ‘usbliter8’ exploit leverages a hardware flaw in the USB controller combined with a firmware configuration issue. By sending specially crafted data over USB while the device is in Device Firmware Update (DFU) mode, attackers can manipulate the USB controller to write data to unintended memory locations. This manipulation grants control over the device’s startup sequence, allowing the execution of unauthorized code before the operating system loads. Notably, while the exploit does not directly compromise the Secure Enclave Processor (SEP)—which safeguards sensitive data like passcodes and encrypted user information—it potentially opens pathways to target the SEP through subsequent attacks.
The vulnerability impacts devices powered by Apple’s A12, S4, S5, and A13 system-on-chips (SoCs). Specifically, the affected devices include:
- A12: iPhone XR, iPhone XS/XS Max, iPad Air 3, iPad mini 5, iPad 8, and second-generation Apple TV 4K
- S4: Apple Watch Series 4
- S5: Apple Watch Series 5, first-generation Apple Watch SE, and HomePod mini
- A13: iPhone 11/11 Pro/11 Pro Max, second-generation iPhone SE, iPad 9, and Studio Display
While the researchers have not yet implemented support for A12X/Z chips, they indicate that technical support is feasible. This suggests that 2018 and 2020 iPad Pro models could also be susceptible to ‘usbliter8’ in the future.
Exploiting devices with A13 chips presents additional challenges due to the implementation of Pointer Authentication (PAC), a security feature designed to prevent code execution redirection. However, the researchers have devised a method to circumvent PAC by systematically corrupting specific memory regions, ultimately gaining control over the USB interrupt handler to execute arbitrary code.
Given the unpatchable nature of ‘usbliter8,’ users of affected devices are advised to exercise caution. The researchers recommend migrating to newer hardware as the most effective mitigation strategy. This development underscores the critical importance of hardware security in modern devices and highlights the need for continuous vigilance against emerging threats.
