Researchers at Paradigm Shift have published the technical details of usbliter8, a new unpatchable iPhone BootROM vulnerability that enables arbitrary code execution on devices powered by Apple’s A12 and A13 chips. Here are the details.
How usbliter8 works
In a highly detailed technical post published today, the Paradigm Shift Team details
usbliter8
The PS Team explains that ahead of today’s disclosure, it shared its findings and worked with Apple Product Security to coordinate the release. The researchers also thanked Apple’s security team for its “prompt response, constructive engagement, and cooperation throughout” the process.
In a nutshell, this bug affects the following Apple SoCs: A12, S4, S5, and A13. Althrough the authors only explicitly mention the iPhone in their write-up, these are the devices equipped with these SoCs:
A12: iPhone XR, iPhone XS/XS Max, iPad Air 3, iPad mini 5, iPad 8, and second-generation Apple TV 4K
S4: Apple Watch Series 4
S5: Apple Watch Series 5, first-generation Apple Watch SE, and HomePod mini
A13: iPhone 11/11 Pro/11 Pro Max, second-generation iPhone SE, iPad 9, and Studio Display
They add that “technical support for A12X/Z is possible,” but “it is not currently implemented.” That could add the 2018 and 2020 iPad Pro lineups to the list.
The way
usbliter8
That gives an attacker with physical access to the device control over its startup process. From there, they can run their own code before iOS loads, bypass signature checks, and boot modified system software.
Importantly, the exploit does not affect or compromise the device’s Secure Enclave, which in practice means that data such as passcodes and encrypted user data remain secure.
That said, PS Team says that “although
usbliter8
The PS Team explains that there are different methods for leveraging the exploit on A12, S4, S5, and A13 chips, with the A13 exploit being more intricate because its SecureROM uses Pointer Authentication, or PAC, a security feature designed to prevent attackers from redirecting code execution.
However, the researchers found a way around PAC by carefully corrupting several parts of memory in stages, eventually taking control of the USB interrupt handler and using it to run their own code.
What now?
Given that this is also an unpatchable exploit, the researchers note that “affected users should be aware that migrating to newer hardware remains the most effective mitigation.”
Interestingly, this exploit doesn’t affect the A11 or earlier chips, which are vulnerable to a separate unpatchable BootROM exploit known as checkm8.
After that exploit was discovered, it became the foundation for several jailbreak tools targeting older iPhones and iPads, so it is possible that the same might happen with the devices affected by
usbliter8
In addition to the technical write-up, the researchers also published a proof-of-concept project on GitHub, which has amassed more than 280 stars in just a few hours.
Their write-up of the process is highly technical but a fascinating read. To learn more about
usbliter8
(h/t Gui Rambo)
Worth checking out on Amazon
Geoffrey Cain – ‘Steve Jobs in Exile’
David Pogue – ’Apple: The First 50 Years’
MacBook Neo
Logitech MX Master 4
AirPods Pro 3
AirTag (2nd Generation) – 4 Pack
Apple Watch Series 11
Wireless CarPlay adapter
FTC: We use income earning auto affiliate links. More.
