Unpatchable 'usbliter8' Exploit Breaks Apple A12 and A13 SecureROM Boot Chain
Unpatchable ‘usbliter8’ Exploit Breaks Apple A12 and A13 SecureROM Boot Chain
🚨 Security researchers at Paradigm Shift have unveiled a groundbreaking exploit known as usbliter8, which allows arbitrary code execution within the SecureROM of Apple’s A12 and A13 chips. This vulnerability is particularly concerning as the code is permanently embedded in the silicon during manufacturing, meaning no software update can rectify it. Affected devices will retain this flaw for their entire lifespan.
🔍 This exploit is not a remote attack; it necessitates physical access to the device, which must be in DFU mode and connected via USB to a specialized RP2350-based microcontroller board. The full technical write-up and proof of concept were released on June 18, 2026, after coordinated disclosure with Apple Product Security.
Affected Devices
The public proof of concept supports the following devices:
- iPhone XS, XS Max, XR
- iPhone 11, 11 Pro, 11 Pro Max
- iPhone SE (2nd generation)
- iPad Air (3rd gen), iPad mini (5th gen), iPad (8th gen)
- Apple Watch Series 4 and 5
- First-generation Apple Watch SE
- HomePod mini
⚠️ Devices using A14 and later chips appear to be safe from this exploit. The root of the issue lies in a hardware flaw within the Synopsys DWC2 USB controller, which mishandles incoming USB Setup packets, leading to a repeatable buffer underflow.
Post-Exploitation
After exploiting the vulnerability, usbliter8 can inject a custom USB request handler and modify the device’s USB serial string to include PWND:[usbliter8]. This allows an attacker to temporarily downgrade the SoC’s production mode or boot an unsigned iBoot image, bypassing Apple’s chain of trust entirely. However, the research indicates that the Secure Enclave remains uncompromised.
🔒 Paradigm Shift warns that gaining BootROM-level control could open new avenues for attacks. This situation mirrors the checkm8 exploit from 2019, which permanently affected A5 through A11 devices.
Risk Assessment
As of June 19, 2026, no CVE, CVSS score, or Apple security advisory has been issued, and no public reports of exploitation have surfaced. For most users, the risk remains low; however, for high-security environments, this presents a significant hardware-retirement and device-custody challenge. It is crucial to manage devices running affected chips carefully and prioritize upgrades to A14 or newer models.