Researchers say the vulnerability has been disclosed to Apple before publication, and the proof-of-concept code is publicly available.
Apple's 10th and 11th generation iPhones are said to be affected
Security researchers have published the proof-of-concept exploit, dubbed "usbliter8", which targets a vulnerability in Apple's BootROM component of iPhone, the unalterable code that runs before iOS starts loading. Since BootROM is permanently etched into a chip during the manufacturing process, researchers claimed that vulnerabilities discovered at this level cannot be fixed through software updates. The newly disclosed exploit is said to affect devices ranging from the iPhone XS lineup to the iPhone 11 series, along with several iPad models powered by the A12 and A13 SoCs.
According to a report published by European cybersecurity research firm Paradigm Shift, the usbliter8 exploit targets a flaw in the USB controller integrated into Apple's A12 and A13 chips. The vulnerability is claimed to be significant since it exists at the BootROM level, the earliest stage of the device's boot process.
During an iPhone's startup, the USB controller usually stores incoming data in memory buffers. Researchers said they discovered a way to manipulate how the controller manages those buffers by injecting a specially crafted sequence of unusually small USB packets during startup. This causes memory corruption at a very low level of the system.
While the internal memory pointer inside the USB controller is only intended to move forward, they were able to move it backwards as well, which allowed data to be written to the protected regions of the memory. The process of gaining control of the processor is claimed to be relatively straightforward, especially on A12-powered devices, once the vulnerability is triggered.
On the other hand, A13-powered models were reportedly more complex due to Apple's introduction of Pointer Authentication Codes (PAC). It is, notably, a hardware security feature that is designed to detect unauthorised memory modifications. Thus, on such devices, bypassing PAC required a multi-stage exploitation process, and code could be executed.
Once successful, however, the exploit is claimed to be capable of lowering certain security restrictions and booting unsigned software that would normally fail Apple's verification checks.
The exploit is said to be a hardware-level flaw, originating from the USB controller hardware itself rather than being a software flaw. Researchers hence claim that such BootROM flaws cannot be patched through iOS updates, and shifting to newer hardware is the most effective solution for users with affected devices.
Researchers said they reported the vulnerability to Apple before publication and coordinated disclosure with the company. The proof-of-concept code has now been released publicly. However, it's worth noting that it requires physical access to the device to exploit, does not affect Secure Enclave, and it is not a complete jailbreak at present.
The exploit affects devices based on Apple's A12 and A13 chipsets, as well as certain Apple Watch models using related silicon. The affected models include the following devices:
Additionally, several iPad models powered by the A12-series processors are also said to be vulnerable, including those based on A12, A12X, A12Z, and A13 platforms. However, the cybersecurity firm's proof-of-concept only focuses on A12 and A13-powered devices. The company also confirmed support for Apple's S4 and S5 chips used in older Apple Watch models.
What's interesting is that the A11 chip inside the iPhone X is not affected. This is due to the Cupertino-based tech giant's implementation of an additional USB pointer reset mechanism in its BootROM. Further, newer Apple devices powered by the A14 and later processors also remain protected against the exploit, since correct memory-protection mechanisms were said to have been enabled by Apple at the BootROM level.
Get your daily dose of tech news, reviews, and insights, in under 80 characters on Gadgets 360 Turbo. Connect with fellow tech lovers on our Forum. Follow us on X, Facebook, WhatsApp, Threads and Google News for instant updates. Catch all the action on our YouTube channel.