Cybersecurity specialists from the organization Paradigm Shift have shared a detailed technical analysis of a previously undetected hardware flaw in the boot firmware (BootROM), which has gained popularity under the name usbliter8. The mentioned method of compromise is based on fundamental flaws in the architecture of the silicon components themselves, which opens the possibility of running arbitrary code on devices of the technology giant Apple, powered by the A12 and A13 processors.
The root of the problem lies in a defect in the operation of the USB controller, which, with a specific software configuration, allows data to be written outside the defined memory limits. As reported by the technology publication 9to5Mac, for the successful implementation of this exploit, physical contact with the device is mandatory, as it must be entered into the specialized DFU service mode, followed by sending targeted information packets.
Although this method provides full management of the initial stage of system startup and successfully bypasses cryptographic digital signature checks, it fails to directly breach the protections of the fully isolated Secure Enclave coprocessor. For this reason, personal user data and access passwords remain out of immediate danger, although the authors of the discovery warn that the vulnerability facilitates possible future research into compromising this cryptographic module as well. The list of affected hardware platforms includes the A12, S4, S5 and A13 chips, which are used in the iPhone XR, XS and 11 smartphones, several generations of the Apple Watch, the compact HomePod mini speaker, the Studio Display external screens, as well as in the base models of the iPad tablet.
The most serious obstacle for the researchers was the A13 processor due to its Pointer Authentication (PAC) technology, the main role of which is to stop unauthorized command redirection. In the end, the experts managed to neutralize this barrier by controlled damage to memory sectors, which led to the capture of the USB interrupt system handler.
Since the factory defect in the listed chips is embedded at the physical level and is not subject to software correction, the only long-term salvation, according to experts, remains the transition to devices with more modern hardware. It is also noted that it is a matter of time before a similar technical modification is developed for the A12X and A12Z chips used in the 2018 and 2020 iPad Pro tablets.
The new vulnerability does not affect the older A11 chips and their previous versions, which were once affected by a similar hardware exploit known as checkm8. The conceptual code for the new attack has already been freely uploaded to the GitHub platform, where it quickly generated serious interest from the community, and it is expected that it will serve as the basis for the creation of new software tools for jailbreaking the affected models.
Before the official publication of the report, the Paradigm Shift team conducted preliminary coordination with the Apple security department, expressing gratitude to the American concern for the rapid communication and assistance provided in the analysis of the discovered attack method.