A serious security vulnerability, which Apple is unable to fix, affects all iPhone XS and iPhone 11 models. The problem, revealed today by the security company Paradigm Shift, details that the flaw, called “usbliter8”, specifically affects devices equipped with the technology giant’s A12 and A13 chips.
The proof-of-concept exploit presented by Paradigm Shift highlights that this breach has similarities to the well-known “checkm8” exploit, which continues to impact devices ranging from the iPhone 4S to the iPhone X. The persistence of hardware vulnerabilities raises concerns about the longevity of security in some older models.
The new flaw exploits a weakness in the USB controller, an integral part of the A12 and A13 chips. This breach allows the insertion of specific packages to manipulate a marker in the hardware, opening the way for data to be written to unprotected areas of memory and even the installation of a malicious driver that compromises the system’s security.
Understand why the usbliter8 flaw cannot be fixed by Apple
The impossibility of fixing this vulnerability lies in the fact that the exploit accesses BootROM (or SecureROM), the primary code that the iPhone executes when turned on. This code is inserted directly into the chip during the manufacturing process and, by its nature, cannot be changed or updated through software, making the failure permanent.
This means that the usbliter8 flaw may never be completely eliminated, and the following iPhone models will remain vulnerable indefinitely:
- Apple iPhone XS (70.9 x 143.6 x 7.7 mm – 5.8 inches – 2436×1125 px)
- Apple iPhone XS Max (77.4 x 157.5 x 7.7 mm – 6.5 inches – 2688×1242 px)
- Apple iPhone 11 (75.7 x 150.9 x 8.3 mm – 6.1 inches – 1792×828 px)
- Apple iPhone 11 Pro (71.4 x 144 x 8.1 mm – 5.8 inches – 2436×1125 px)
- Apple iPhone 11 Pro Max (77.8 x 158 x 8.1 mm – 6.5 inches – 2688×1242 px)
Despite the bad news for these models, positive information is that iPhones equipped with the A14 chip are immune to this exploit. On these devices, the USB driver is designed to reset the marker after each boot packet, a security measure missing on the A12 and A13 chips, which keeps the configuration vulnerable.
Although the A12 and A13 chips share the same fundamental bug, Paradigm Shift clarifies that the A13 offers slightly greater resistance. Hacking the A13 requires additional steps to bypass Pointer Authentication Codes, a feature that detects and blocks memory tampering, but does not completely prevent hacking.
Once the exploit manages to penetrate the system, it temporarily lowers the device’s security settings. This allows unauthorized software to run without the usual checks, opening the door for the installation of spyware and malware. The presence of the same “PWND” sequence used in the checkm8 exploit serves as a clear sign that the device has been compromised.
The company Paradigm Shift acted responsibly, informing Apple’s product security team (Apple Product Security) about the flaw before its public disclosure. Both parties worked together to coordinate warning users about this critical vulnerability.