Unpatchable usbliter8 Exploit Breaks Apple A12 and A13 SecureROM

Security researchers at Paradigm Shift have published a working exploit, dubbed usbliter8, that achieves arbitrary code execution inside the SecureROM of Apple's A12 and A13 SoCs. Because SecureROM is burned into the silicon at manufacture, no software update can ever reach it, meaning affected devices will carry the flaw for their entire service life. The attack requires physical possession of the device, which must be placed in DFU mode and connected via USB to a dedicated RP2350-based microcontroller board. With that setup, the exploit completes in under two seconds, before Apple's signed boot chain even loads. A full technical write-up and proof-of-concept went public on June 18, 2026, following coordinated disclosure with Apple Product Security.

The public PoC supports A12, A13, S4, and S5 chipsets, with A12X and A12Z theoretically reachable but not yet implemented. Affected device families include the iPhone XS, XS Max, and XR; the iPhone 11, 11 Pro, and 11 Pro Max; the iPhone SE (2nd generation); the iPad Air 3rd gen, iPad mini 5th gen, and iPad 8th gen; Apple Watch Series 4, 5, and the first-generation Apple Watch SE; the HomePod mini; and other Apple products built on those SoCs. The root cause is a hardware flaw in the Synopsys DWC2 USB controller. It stores incoming USB Setup packets via DMA, buffers up to three, then resets its write pointer on the fourth by decrementing it by a fixed 24 bytes. It also accepts sub-standard packets, incrementing the pointer only by the actual bytes written. That mismatch accumulates into a repeatable buffer underflow, stepping the DMA write pointer 12 bytes at a time backward through memory.

What makes this exploitable on A12 and A13 is how Apple configures the USB DART (Device Address Resolution Table, the chip's IOMMU) inside SecureROM. On affected hardware, it runs in bypass mode, so the underflowing DMA pointer can reach and overwrite arbitrary SRAM. A11 sidesteps the issue because its USB driver manually resets the DMA address after every packet, so the mismatch never accumulates. A14 and later appear to configure DART correctly, which Paradigm Shift says makes the vulnerability unexploitable on newer hardware. On A12, the DMA buffer sits adjacent to the USB task's stack on the heap, so overwriting a saved link register hands the attacker direct PC control on the next context switch. A13 is harder because Pointer Authentication (PAC) protects stack-stored return addresses, but the researchers bypassed it in stages: corrupting DART-related heap structures to create limited write primitives, overwriting the panic depth counter to keep the chip looping on errors instead of rebooting, and carefully timing DMA writes to avoid clobbering the USB task's saved registers before finally overwriting the USB interrupt handler pointer.

For most users, the threat is limited. usbliter8 is not remotely exploitable and demands hands-on access plus specialized hardware, conditions that place it firmly in the category of nation-state, law enforcement, or forensic-lab tooling rather than commodity malware. Organizations handling high-value targets who rely on A12/A13-based iPhones, iPads, or Apple Watches should consider replacing those devices or, at minimum, keeping them physically secured. If you want to audit your own device exposure or scan for open services that could be abused in chained attacks, run a quick port scan on systems connected to your Apple hardware, and use a WHOIS lookup to verify the legitimacy of any hardware accessories you source. For a broader privacy baseline, the privacy checkup is a good place to start.