RESEARCHERS from Paradigm Shift have disclosed a new BootROM exploit called Usbliter8 that affects iPhone and Apple Watch models equipped with the A12 or A13 processor, according to a report by SecurityWeek. The flaw requires an attacker to have physical USB access and to put the targeted device into DFU mode, after which arbitrary code can run before the operating system loads, although the Secure Enclave Processor continues to protect data at rest. Because the vulnerability resides in the immutable BootROM, Apple cannot issue a software patch to fix it, leaving the only reliable mitigation to be preventing unauthorised USB connections.
Usbliter8 takes advantage of a bug in the Synopsys DWC2 USB controller combined with a misconfiguration in the firmware that Apple uses during the early boot stage. By sending a specially crafted USB packet while the device is in recovery mode, an attacker can gain execution control at the BootROM level, essentially replicating the technique used by the earlier Checkm8 jailbreak. Although no formal CVSS score has been assigned because the issue is hardware based and depends on direct access, security researchers rate the potential impact as high for any device that can be physically tampered with.
All iPhone models that utilise the A12 Bionic chip, namely the iPhone XS, XS Max, XR and the 2019 iPhone 11 series, as well as the A13 Bionic devices such as the iPhone 11 Pro, 11 Pro Max and the 2020 iPhone SE are vulnerable. The same BootROM code is present in Apple Watch Series 4, Series 5 and the SE, meaning those wearables can also be forced into DFU mode via the exploit when connected to a malicious USB host. With millions of these devices still active in consumer and enterprise fleets, the installed base presents a sizable target for anyone who can momentarily gain physical control of the hardware.
To date there is no public evidence that Usbliter8 has been exploited in the wild or linked to any specific threat actor, but its disclosure highlights the risks posed by physical access in environments where devices are frequently left unattended. Organisations that allow employees to connect iPhones to unknown USB chargers or docking stations may unintentionally create a vector for code execution before the operating system even starts. The situation echoes the Checkm8 era, reminding defenders that hardware‑level flaws can persist for the lifetime of a device and therefore demand ongoing vigilance.
Security teams should enforce strict policies that prohibit attaching untrusted USB peripherals to locked iPhones and consider disabling USB data mode when the device is protected by a passcode. Mobile device management solutions can be configured to require a user authentication prompt before any USB data connection is allowed, thereby reducing the chance of a covert DFU entry. In parallel, accelerating hardware refresh cycles to replace A12/A13 devices with newer models that use a different BootROM layout can eliminate the risk over the long term.
Monitoring system logs for frequent DFU mode entries, unexpected reboot cycles, or unusual USB activity can help security analysts spot attempted