New Exploit Bypasses Apple’s Boot Defenses, Affects Millions of iPhones

Summary

A new BootROM exploit called Usbliter8 has been disclosed by Paradigm Shift, affecting iPhones with A12 and A13 chips and Apple Watches with S4 and S5 chips. The exploit bypasses Apple's SecureROM, the foundational code for the secure boot chain, by chaining a USB controller bug and a firmware configuration weakness. While it requires physical USB access and cannot directly access user data, it allows for full code execution before the OS loads and could potentially compromise the Secure Enclave.

Full text

European cybersecurity research firm Paradigm Shift has disclosed details of a new BootROM exploit that affects millions of iPhones and cannot be patched with a software update. Dubbed Usbliter8, the exploit targets Apple’s SecureROM. Baked permanently into the device’s SoC, SecureROM is the first code an iPhone runs on startup and the foundation of Apple’s entire secure boot chain. Usbliter8 chains a USB controller bug and a device firmware configuration weakness. The exploit, which requires physical USB access to the targeted device, works against iPhones with A12 and A13 chips — including iPhone XS, XR, and 11 — and Apple Watches with S4 and S5 chips. It’s worth noting that the affected chips were released in 2018 and 2019. Conducting a Usbliter8 attack involves the attacker connecting a special USB device (eg, Raspberry Pi Pico 2 or similar microcontroller board) to the targeted iPhone and sending it crafted USB setup packets. The attack triggers an out-of-bounds write, allowing the attacker to overwrite critical data in memory and ultimately take control of the processor, escalate privileges, and execute arbitrary code with full system privileges. Apple’s signature checks are bypassed, allowing a hacker to achieve full code execution at the device’s lowest level before the OS ever loads. The attacker can load unsigned firmware or lower the device’s security level. Advertisement. Scroll to continue reading. However, the exploit cannot directly be used to access user data. The researchers noted in their disclosure that Apple’s Secure Enclave Processor (SEP), a separate security processor that protects user data, is not directly compromised by the exploit. “Although usbliter8 doesn’t affect SEP itself, it opens up wider attack vectors to compromise the Secure Enclave,” Paradigm Shift researchers explained. While an attack cannot be launched remotely, such an exploit could be highly useful to forensics vendors. The impact of Usbliter8 is similar to that of Checkm8, the 2019 BootROM exploit that left an entire generation of iPhones permanently vulnerable to jailbreak. Paradigm Shift said it reported the findings to Apple before disclosure, but the tech giant has not publicly responded to the research. SecurityWeek has contacted Apple for comment and will update this article if the company responds. The security firm has released PoC code for the Usbliter8 exploit. “By publishing this research and the accompanying proof of concept, we aim to document the real-world impact of this class of hardware vulnerabilities, contribute to the broader understanding of modern BootROM security, and demonstrate that even recent SecureROM generations remain susceptible to subtle hardware flaws,” the company’s researchers noted. Related: Apple Rejected 2 Million App Store Submissions in 2025 for Security and Fraud Prevention Related: Apple Patches Dozens of Vulnerabilities in macOS, iOS Related: Apple Patches iOS Flaw Allowing Recovery of Deleted Chats Written By Eduard Kovacs Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering. Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights. More from Eduard Kovacs Cisco to Acquire WideField Security to Boost Splunk’s Agentic SOCSplunk Enterprise Vulnerability Exploited in Attacks Days After DisclosureAccenture to Acquire Majority Stake in Dragos, All of runZero, NetRise in $4.1 Billion OT Cybersecurity PushRokarolla Banking Trojan Targets 200 ApplicationsSailPoint to Acquire Entro in Reported $200 Million DealKodak Admits Data Breach After ShinyHunters Hack Claims1Password Acquires Apono in Reported $250M-$300M DealRockwell Automation Patches Vulnerabilities in ICS Controllers and Software Latest News Attackers Exploit Gravity SMTP Plugin Flaw to Harvest Valuable WordPress DataNorth Korean Hackers Blamed for Mastra NPM Supply Chain AttackWhat the Latest ShinyHunters Breaches Reveal About Modern CyberattacksFortinet Responds to FortiBleed CampaignMore Cybersecurity Firms Disclose Impact From Klue HackTexas Parks & Wildlife Data Breach Affects 3 Million IndividualsFrench President Urges US to Share Cutting-Edge AI and Democracies to Cooperate on RegulationIn Other News: Apple Patches Beats Eavesdropping Flaw, DOT Closes Delta CrowdStrike Probe, AWS Continuum Trending Daily Briefing NewsletterSubscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: How Modern Breaches Bypass MFA and Evade Detection June 17, 2026 Today’s attackers are no longer breaking in — they’re logging in. Join this live webinar as we break down the modern identity attack chain and examine how recent breaches exploited weaknesses in authentication, identity verification, and access management processes. Register Webinar: Modern Exposure Validation in the AI Era June 24, 2026 AI has accelerated both sides of the fight. Adversaries are weaponizing vulnerabilities faster, while defenders are racing to ship detections and configurations. Join this live webinar as we explore how to prove your controls actually hold against new threats, map your security maturity, and unite breach simulation with automated pentesting into a single, coordinated program. Register People on the MoveSolarWinds has appointed Justin Henkel as Chief Information Security Officer.J. Paul Haynes has joined Cinchy as Chief Executive Officer.Hatem Naguib has become Chief Executive Officer at Sysdig.More People On The MoveExpert Insights What the Latest ShinyHunters Breaches Reveal About Modern Cyberattacks Groups like ShinyHunters are demonstrating that attackers do not necessarily need malware or zero-day exploits to cause massive damage. (Torsten George) No Exploits Required Four decades of incident response experience suggest that exploits are often the symptom, not the root cause, of today’s cybersecurity failures. (Tod Beardsley) After AI Reaches Production: 12 Ways Security Teams Can Take Control Security teams need more than visibility into AI applications, they need a repeatable framework for monitoring, investigating, and defending them in production. (Joshua Goldfarb) Everybody Is Vibe Coding But Nobody Told the Security Team AI-driven development is not something organizations can or should block. But it must be governed. (Danelle Au) The Zero-Knowledge Threat Actor and the End of Responsible Disclosure AI can help attackers generate malware, create malicious payloads, bypass simple security checks, and convert vague malicious intent into functional code. (Etay Maor) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• malware — Usbliter8
• mitre_attack — T1059.003
• mitre_attack — T1547.001

Entities