Unpatchable usbliter8 locks A12 and A13 users

unpatchable usbliter8 – A SecureROM exploit called usbliter8 has been disclosed for Apple devices powered by A12 and A13 chips. Security researchers say it can achieve code execution in DFU mode before iOS, iPadOS, or watchOS even begins to load—yet it can’t be fixed by software upda

The first warning comes in the least comforting place possible: before iPhone software starts, when SecureROM is still the one in charge.

On June 18. security firm Paradigm Shift disclosed an unpatchable SecureROM exploit called usbliter8 for Apple devices powered by the A12 and A13 chips. The exploit extends public BootROM exploitation beyond the devices affected by checkm8. the earlier SecureROM-adjacent breakthrough that targeted older Apple hardware.

usbliter8 targets Apple’s USB boot process. It achieves code execution through a flaw in that process. working specifically through Device Firmware Update mode—better known as DFU mode. Researchers say that when exploitation succeeds, they gain control before iOS even starts loading. The exploit also enables boot-chain compromise and custom USB request handling.

The list of affected devices is wide, covering some familiar names across iPhone, iPad, and Apple Watch:

It includes the iPhone XS. iPhone XS Max. iPhone XR. and the iPhone 11 lineup—iPhone 11. iPhone 11 Pro. and iPhone 11 Pro Max. Also affected are iPhone SE (2nd generation) and iPad models including the 11-inch iPad Pro (1st generation and 2nd generation). the 12.9-inch iPad Pro (3rd generation and 4th generation). iPad (8th generation). iPad Air (3rd generation). and iPad mini (5th generation). Apple Watch devices powered by S4 and S5 chips are also in scope. including Apple Watch Series 4 and Apple Watch Series 5.

At the center of the concern is where the vulnerability lives. Paradigm Shift’s reporting is treated as serious because the flaw exists in SecureROM—the first code that runs when an iPhone starts up. SecureROM verifies Apple’s software before the rest of the operating system loads and serves as the foundation of the device’s security model.

That design choice is exactly what makes the problem hard to fix. SecureROM code is built into the chip itself and can’t be replaced after manufacturing. Apple can patch flaws in iOS. iPadOS. and watchOS through software updates. but the usbliter8 researchers described wouldn’t be corrected by those updates because the vulnerable code isn’t something iOS can swap out.

In practical terms, affected devices remain vulnerable unless users replace them with newer hardware.

The exploit’s reach is also specific enough to explain why it’s not a universal panic—yet still a nightmare for long-term security. usbliter8 doesn’t give attackers unrestricted access to user data. because Apple’s Secure Enclave Processor remains separate from the vulnerability and provides an additional security boundary. But the researchers say the SecureROM-level access could still expand the range of attacks available against other parts of Apple’s platform. even if it doesn’t directly compromise the Secure Enclave.

The conditions for using usbliter8 are rigid, too. Researchers must have physical access to a device and use USB connectivity and DFU mode to carry out the attack.

Researchers also describe how the exploit can overwrite corrupted memory and then use “correct register values” to recover control. They say the exploit could boot modified iPhone software that wouldn’t normally be allowed to run.

Not every Apple device is caught in this net. usbliter8 doesn’t affect A14 chips or newer generations because later versions of SecureROM appear to configure hardware protections differently. A11-based devices also avoided the vulnerability because their USB driver resets memory addresses in a way that prevents the attack.

The disclosure immediately draws a line back to checkm8. Like checkm8, usbliter8 targets the earliest stages of Apple’s boot process. Like checkm8, it also can’t be fully fixed through software updates. Checkm8 affected Apple devices powered by A5 through A11 chips. and it became one of the most influential iPhone exploits because it targeted immutable BootROM code.

Apple hasn’t faced a public BootROM exploit affecting A12 and A13 devices since checkm8 targeted earlier hardware generations. With usbliter8, that gap has narrowed—again, in a way that matters precisely because it hits the startup foundation that can’t be patched away.

Paradigm Shift says it disclosed the findings to Apple Product Security before publication and coordinated the release with Apple. Apple had not publicly commented on the research at the time of publication.

For most users, the risk remains constrained by the threat model. The practical risk from usbliter8 stays limited because the exploit requires physical access and USB DFU mode—conditions unlikely to match normal day-to-day use.

Still, the advice that follows is blunt: installing security updates, using a strong passcode, and avoiding unattended devices won’t patch the SecureROM vulnerability itself. Those steps may make it harder for an attacker to get close enough in the first place.

For long-term protection, the clearest path in the reporting is hardware. Users concerned about long-term exposure can reduce their risk by upgrading to hardware powered by Apple’s A14 chip or newer. The exploit described in the research does not affect those devices.

usbliter8 SecureROM Apple A12 Apple A13 DFU mode iPhone XS iPhone 11 iPad Pro Apple Watch Series 4 Apple Watch Series 5 checkm8 bootrom exploit USB security device security