Apple chip flaw exposes older devices to boot attacks

Apple devices powered by A12 and A13 chips face a new hardware-level security risk after researchers disclosed an unpatchable BootROM exploit that can break the early boot chain on several older iPhone, iPad and Apple Watch models.

The exploit, named usbliter8, targets SecureROM, the immutable code that runs before the operating system loads. Because that code is burned into the chip during manufacturing, the underlying weakness cannot be removed through an iOS, iPadOS or watchOS update. The disclosure has sharpened attention on the long-term security limits of ageing mobile hardware, particularly devices that remain widely used in corporate fleets, second-hand markets and high-risk personal environments.

The affected platforms include Apple’s A12 and A13 systems-on-chip, used in devices such as the iPhone XS, iPhone XR, iPhone 11 line and several iPad models, as well as related S4 and S5 chips used in Apple Watch Series 4, Apple Watch Series 5, the first-generation Apple Watch SE and HomePod mini. A12X and A12Z variants may be technically close to the vulnerable class, though public exploit support has not been established in the same way.

The attack is not a remote compromise. It requires physical possession of the device, access to Device Firmware Update mode and specialised USB equipment, with researchers demonstrating the technique using a microcontroller-based setup. That limits the threat for ordinary users facing typical online attacks, but it raises concern for stolen, seized or targeted devices where an attacker can handle the hardware for a sustained period.

At the centre of the issue is a weakness in the way the USB controller handles memory during DFU operations. The exploit chain combines a hardware flaw in the Synopsys DesignWare USB 2 controller with a firmware configuration weakness linked to Apple’s Data Address Resolution Table, or DART, a component used to manage direct memory access. On A12 and A13 SecureROMs, the DART configuration allowed USB-driven DMA behaviour to overwrite protected SRAM areas and interfere with the application processor boot chain.

The distinction with older and newer Apple chips is significant. A11-era devices are not affected in the same manner because the USB driver restores DMA addresses after packets, limiting the relevant overwrite path. A14 and later platforms appear to configure DART more securely, making the same practical exploitation route far harder. That leaves A12 and A13 generations exposed to a class of attack that sits beneath the software layer Apple can normally update.

Once successful, the exploit can achieve code execution inside SecureROM and modify DFU behaviour. Researchers said the technique can inject custom USB handlers, bypass parts of the normal trust chain and boot unsigned iBoot images. On A12 and S4/S5 hardware, the path involved overwriting control-flow data near the USB DMA buffer. On A13, where Pointer Authentication Codes complicate direct stack corruption, the attack required a more complex sequence involving heap manipulation and interrupt-handling structures.

The finding extends the lineage of public Apple BootROM research beyond checkm8, the widely known exploit affecting devices up to A11. Checkm8 reshaped the jailbreak and forensic-access landscape because it operated before the operating system and could not be fully patched on affected hardware. Usbliter8 does not immediately create the same broad consumer risk, but it shows that later SecureROM generations remain vulnerable to deeply technical attacks when hardware behaviour and early-boot configuration align.

Apple was notified before publication, and the disclosure indicates engagement with the company’s product security team. No broad emergency patch is expected because the vulnerable code is not writable after manufacture. Software updates may still reduce some downstream abuse or harden later stages of the boot process, but they cannot erase the SecureROM condition itself.

The practical mitigation is therefore device management rather than a conventional patch. Users handling sensitive information are being urged to avoid leaving affected devices unattended, disable unnecessary physical access, keep passcodes strong and consider moving to A14-or-newer hardware where the disclosed exploit path is not known to apply. Organisations with high-risk staff may need to reassess older iPhone and Apple Watch deployments, especially in roles involving confidential communications, field reporting, legal work, finance or political activity.