Apple Exploit Bypasses Boot Defenses, Impacts Millions of iPhones

Post Views: 6

A European cybersecurity research organization has revealed a novel BootROM vulnerability affecting a significant number of iPhones that cannot be mitigated through software updates.

Overview of the Vulnerability

The flaw, designated Usbliter8, exploits weaknesses in Apple’s SecureROM, a critical component embedded within the device’s system-on-chip (SoC). This foundational element of Apple’s secure boot process is the first code executed during device startup, forming the basis of the company’s security architecture.

Understanding the Usbliter8 Exploit

Usbliter8 leverages a combination of a USB controller vulnerability and a firmware configuration flaw. The attack requires physical USB access to the target device and is effective against iPhones equipped with A12 and A13 chips, including models such as the XS, XR, and 11, as well as Apple Watches with S4 and S5 chips. These affected components were introduced between 2018 and 2019.

Technical Details of the Exploit

The exploit involves connecting a specialized USB device, such as a Raspberry Pi Pico 2 microcontroller board, to the targeted iPhone. This device transmits customized USB setup packets, triggering an out-of-bounds write vulnerability. This allows an attacker to overwrite critical memory data, seize processor control, escalate privileges, and execute arbitrary code with full system access.

Apple’s signature verification mechanisms are bypassed, enabling unauthorized code execution at the lowest hardware level prior to the operating system loading. Attackers can install unsigned firmware or reduce the device’s security settings. However, the exploit does not directly access user data.

Impact on Device Security

The researchers emphasized that Apple’s Secure Enclave Processor (SEP), which safeguards sensitive user information, is not directly compromised. Nevertheless, the vulnerability creates potential pathways to target the SEP. While remote exploitation is not feasible, the flaw holds significant value for forensic analysis.

Its impact parallels that of Checkm8, a 2019 BootROM exploit that rendered an entire generation of iPhones permanently vulnerable to jailbreaking.

Research and Disclosure

The research firm disclosed the findings to Apple prior to public release, but the company has not issued a public response. SecurityWeek has reached out to Apple for comment and will update the article if additional information is provided.

The researchers stated their intent to highlight the real-world implications of hardware-based vulnerabilities, advance understanding of BootROM security, and demonstrate that even recent SecureROM iterations remain susceptible to subtle design flaws.

Additional Cybersecurity Developments

Other cybersecurity developments include Cisco’s acquisition of WideField Security to enhance Splunk’s Agentic SOC, a recently disclosed vulnerability in Splunk Enterprise being exploited in attacks, and Accenture’s acquisition of a majority stake in Dragos. Additional updates cover ransomware targeting financial applications, enterprise software acquisitions, data breaches, and regulatory discussions on artificial intelligence.