Security Researchers Discover New Unpatchable BootROM Vulnerability in Apple A12 and A13 Chips

Security research firm Paradigm Shift has published details of a new BootROM vulnerability affecting Apple's A12 and A13 chips, along with a working proof-of-concept exploit called "usbliter8." The BootROM, or SecureROM, is the first code an iPhone executes when powering on and is permanently embedded into the chip at manufacture, making any vulnerability discovered there impossible to patch through software updates. This leaves devices with these chips vulnerable for their entire lifespan.

The exploit takes advantage of a bug in the USB controller hardware built into Apple's chips. When an iPhone receives USB data during startup, the controller uses a memory buffer to store incoming packets. Paradigm Shift discovered that by sending a specific sequence of unusually small packets, researchers can manipulate an internal hardware pointer to walk backwards through memory, allowing data to be written to restricted locations that should be inaccessible. The vulnerability affects devices from the iPhone XS through the iPhone 11 series, expanding on the history of similar exploits such as "checkm8," which was released in 2019 and affected devices from the iPhone 4S through the iPhone X.

The security implications vary depending on the chip generation. Gaining code execution on A12 devices is relatively straightforward, while A13 devices present considerably greater challenges due to Apple's Pointer Authentication Codes (PAC) security feature, which detects and blocks certain types of memory tampering. Paradigm Shift reports that bypassing PAC on A13 chips required a complex multi-step process. The A11 chip, found in the iPhone X, is not affected because its USB driver manually resets the pointer after each packet, while A14 and later chips are protected by correctly configured memory protection features at the BootROM level.

Once an attacker gains control through the exploit, they can install a custom handler that persists across device restarts, enabling two key capabilities: temporarily lowering device security settings and booting unsigned software without verification checks. The exploit also injects the traditional "PWNED" string into the iPhone's USB serial number as a signal of compromise, following conventions established by earlier boot-level exploits. While the vulnerability does not directly compromise the Secure Enclave, Paradigm Shift notes that a BootROM compromise of this nature opens wider attack vectors against it.

Paradigm Shift coordinated with Apple Product Security before publishing its findings, following responsible disclosure practices. The full proof-of-concept code has been published alongside the technical write-up.