A new security flaw, considered uncorrectable, was revealed by researchers and affects several Apple devices equipped with A12 and A13 chips. The vulnerability, called usbliter8, allows unauthorized code to be executed directly in the devices’ BootROM.
How usbliter8 compromises device security
Technical details about usbliter8 were published today by the Paradigm Shift team in an in-depth statement. The vulnerability takes advantage of a hardware flaw in the USB controller and a specific configuration in the device’s firmware, making it permanent.
The Paradigm Shift team reported that, before making their findings public, they actively collaborated with Apple’s Product Security team. The researchers also expressed gratitude for Apple’s quick response, constructive engagement, and cooperation throughout the outreach coordination process.
In short, the flaw directly affects the following Apple System-on-Chips (SoCs): A12, S4, S5 and A13. Although the authors’ text explicitly mentions only the iPhone, several other devices use these components.
The list of devices equipped with vulnerable SoCs includes the iPhone XR, iPhone XS/XS Max, iPad Air 3, iPad mini 5, iPad 8 and the second generation Apple TV 4K (with A12 chip). The Apple Watch Series 4 uses the S4, while the Apple Watch Series 5, the first-generation Apple Watch SE and the HomePod mini are equipped with the S5. Finally, the devices with the A13 chip are the iPhone 11/11 Pro/11 Pro Max, the second generation iPhone SE, the iPad 9 and the Studio Display.
The researchers add that technical support for the A12X/Z chips is theoretically possible, although not yet implemented. If this occurs, the 2018 and 2020 iPad Pro lines could be included in the list of affected devices.
usbliter8’s method of operation involves sending specifically formatted data to the device via USB while it is in DFU (Device Firmware Update) mode. This action confuses the USB controller, causing it to write data to an incorrect area of memory.
This procedure gives the attacker, who needs physical access to the device, control over the boot process. This makes it possible to run your own code even before the iOS operating system is loaded, bypass signature checks and thus launch modified system software.
It is essential to note that the exploited vulnerability does not directly compromise the device’s Secure Enclave, which means that sensitive information such as passwords and encrypted user data remain protected. However, it is important to note that the vulnerability opens the door to future attacks that could exploit this security layer.
The Paradigm Shift team states that while usbliter8 does not affect the Secure Enclave itself, it “opens up broader attack vectors for compromising the Secure Enclave.” The public disclosure of this vulnerability, they say, aims to highlight the real impact of hardware failures and contribute to a deeper understanding of modern SecureROM security.
PS Team experts explain that there are several approaches to exploiting the vulnerability in the A12, S4, S5 and A13 chips. Exploiting the A13 chip, however, is more challenging, as its SecureROM employs Pointer Authentication (PAC), a security feature designed to prevent attackers from redirecting code execution.
Despite the PAC’s protection, researchers discovered a way to bypass it by carefully corrupting multiple sections of memory in stages. Eventually, they managed to take control of the USB interrupt handler, using it to execute their own code.
What Apple device users can do when faced with the failure
Considering this vulnerability is intrinsic and cannot be fixed by software updates, the researchers advise that “affected users should consider that migrating to newer hardware remains the most effective solution.” This is because a BootROM failure is permanent and cannot be corrected via software.
Interestingly, this vulnerability in question does not affect A11 chips or earlier. These older chips, in turn, are susceptible to another irreparable security flaw in BootROM known as checkm8. This comparison highlights the persistence of hardware vulnerabilities across different generations of Apple products.
After the discovery of the checkm8 flaw, it served as the basis for the development of several jailbreak tools aimed at older iPhones and iPads. With the revelation of usbliter8, it is likely that a similar scenario will be repeated for devices affected by this new vulnerability.
In addition to the detailed technical description, the researchers also made a proof-of-concept project available on GitHub. The repository accumulated more than 280 stars within hours of its publication, demonstrating the community’s interest.
The full explanation of the process is quite technical, but offers eye-opening reading for those interested. To delve deeper into the working of usbliter8, the original link with details is available.