Severity
High
Analysis Summary
The newly disclosed usbliter8 vulnerability is a critical BootROM-level exploit affecting Apple devices powered by A12, A13, and S4/S5 chips. Researchers discovered that the flaw stems from a combination of a hardware weakness in the Synopsys DWC2 USB controller and a firmware misconfiguration within SecureROM. The vulnerability allows attackers with physical USB access to compromise the entire application processor boot chain before the operating system loads. Because BootROM code is permanently embedded in silicon and cannot be updated, the flaw is considered unpatchable through software or firmware updates.
The root cause lies in how the DWC2 USB controller processes consecutive USB Setup packets. The controller maintains a buffer and adjusts the DMA pointer (DOEPDMA) as packets are received. However, while packet writes increase the pointer based on packet size, the reset operation always subtracts a fixed 24 bytes. This mismatch creates a buffer underflow condition, enabling attackers to manipulate DMA memory writes outside the intended buffer boundaries. On vulnerable A12 and A13 devices, the USB DART (IOMMU) is configured in bypass mode within SecureROM, removing a critical memory protection layer and allowing arbitrary SRAM corruption. Apple corrected this configuration beginning with A14 chips, preventing exploitation on newer hardware.
Exploitation varies between chip generations. On A12 and S4/S5 devices, attackers can corrupt a saved Link Register (LR) located near the USB DMA buffer, gaining control of program execution and deploying a Return-Oriented Programming (ROP) chain that achieves privileged code execution within SecureROM. On A13 devices, exploitation is more complex due to Pointer Authentication (PAC). Researchers bypassed these protections by manipulating DART heap metadata, disabling heap integrity checks, suppressing panic-triggered reboots, and redirecting execution through attacker-controlled function pointers. Once arbitrary EL1 code execution is achieved, the exploit installs a custom USB handler, modifies the device serial number with a “PWND” marker, restores damaged memory structures for stability, and even recreates SecureROM functionality in SRAM to maintain persistence through a ROM restart.
Successful exploitation effectively defeats Apple's Secure Boot architecture. The custom payload enables privileged operations such as SoC demotion and booting unsigned iBoot images, bypassing signature verification and granting full control over the boot process. Confirmed affected devices include the iPhone XS, iPhone XR, iPhone 11 series, iPad Pro (2018), and Apple Watch Series 4 and 5. Since the vulnerability resides in immutable hardware, there is no software-based remediation available. The only effective mitigation is migrating to devices powered by A14 or newer processors, which properly configure DART protections. While Apple's Secure Enclave Processor (SEP) remains a separate security boundary, researchers warn that the complete boot-chain compromise provided by usbliter8 could facilitate more advanced attacks against protected components in the future.
Impact
- Gain Access
Remediation
- Upgrade to Apple devices powered by A14, M1, or newer processors, as these chipsets are not vulnerable to the usbliter8 BootROM exploit.
- Replace affected devices, including iPhone XS, iPhone XR, iPhone 11 series, iPad Pro (2018), and Apple Watch Series 4/5, where security-sensitive operations are performed.
- Restrict and monitor physical access to vulnerable devices to prevent unauthorized USB-based exploitation.
- Avoid connecting affected devices to untrusted computers, charging stations, docking stations, or unknown USB accessories.
- Use only trusted and organization-approved USB peripherals and cables.
- Enable strong device passcodes and biometric authentication to reduce the risk of post-exploitation access.
- Keep iOS, iPadOS, watchOS, and macOS updated to the latest versions to benefit from additional security protections, even though the BootROM flaw itself cannot be patched.


