Security researchers have uncovered a significant vulnerability in Apple’s A12 and A13 chips, affecting devices such as the iPhone XS through iPhone 11 series. This exploit, named “usbliter8,” targets the BootROM—the initial code executed when an iPhone powers on—which is embedded directly into the chip and cannot be modified via software updates. Consequently, devices with these chips will remain susceptible to this exploit indefinitely.
The vulnerability resides in the USB controller hardware of the affected chips. During device startup, the USB controller processes incoming data packets using a memory buffer. By sending a specific sequence of unusually small packets, attackers can manipulate an internal hardware pointer, causing it to overwrite unintended memory locations. This flaw is inherent to the USB controller hardware, not the software.
Devices with A11 chips, like the iPhone X, are not affected due to their USB drivers resetting the pointer after each packet. Similarly, devices with A14 and newer chips are secure, as they correctly configure memory protection features at the BootROM level. However, A12 and A13 chips lack these safeguards, leaving them vulnerable.
Exploiting this vulnerability on A12 devices is relatively straightforward. On A13 devices, the process is more complex due to the introduction of Pointer Authentication Codes (PAC), a security feature that detects and blocks certain types of memory tampering. Bypassing PAC on A13 devices requires a multi-step process before gaining control over the processor.
Once control is established, the exploit installs a custom handler that persists through device restarts. This handler can temporarily lower the device’s security settings and boot unsigned software without verification checks. Additionally, it injects the “PWND” string into the iPhone’s USB serial number, signaling that the device has been compromised—a convention carried over from previous exploits.
While “usbliter8” does not affect the Secure Enclave—a separate processor responsible for handling sensitive data like encryption keys and biometric information—the exploit’s unpatchable nature poses a significant security risk. Users of devices with A12 and A13 chips should exercise caution, especially when connecting to untrusted USB devices or networks.
This discovery underscores the challenges in securing hardware components and the potential long-term implications of hardware-level vulnerabilities. As these chips are embedded in millions of devices worldwide, the exploit highlights the importance of robust hardware design and the need for ongoing vigilance in the face of evolving security threats.
