What happened
Security researchers at Paradigm Shift published a working exploit called usbliter8 that achieves arbitrary code execution inside the SecureROM of Apple’s A12 and A13 chips.
SecureROM code is burned into silicon during manufacturing, which means it cannot be fixed through a software update. Affected devices will carry the flaw for as long as they remain in use.
The exploit is not remote. It requires physical possession of the device, the device must be placed in DFU mode, and it must be connected by USB to a dedicated RP2350-based microcontroller board. With that setup, the exploit completes in under two seconds before Apple’s signed boot chain loads.
The public proof of concept supports A12, A13, S4, and S5 chips. A12X and A12Z support is described as theoretically possible but not yet implemented. Affected device families include the iPhone XS, XS Max, XR, iPhone 11, 11 Pro, 11 Pro Max, iPhone SE 2nd generation, iPad Air 3rd generation, iPad mini 5th generation, iPad 8th generation, Apple Watch Series 4 and 5, first-generation Apple Watch SE, HomePod mini, and other Apple products using those chips.
The root issue is a hardware flaw in the Synopsys DWC2 USB controller. On affected devices, Apple’s SecureROM configuration allows a USB-related memory corruption path to reach and overwrite arbitrary SRAM. That gives attackers a way to gain privileged code execution before the normal secure boot chain takes over.
A11 devices are not affected because their USB driver resets the DMA address after every packet. A14 and later devices appear to configure the relevant protection correctly, making the exploit path unavailable on newer hardware.
After exploitation, usbliter8 can inject a custom USB request handler and temporarily move the system outside Apple’s normal chain of trust. The research does not show a Secure Enclave compromise, but the researchers warned that BootROM-level control could create new paths for attacking it.
As of publication, there was no CVE, CVSS score, Apple security advisory, CISA alert, or public report of in-the-wild exploitation.
Who is affected
Owners and organizations using Apple devices built on A12, A13, S4, and S5 chips are affected.
The practical risk is low for most users because the exploit requires physical access, DFU mode, a dedicated USB-connected microcontroller board, and technical knowledge. However, the risk is more significant in high-security environments where device custody, hardware trust, forensic access, or resistance to physical compromise matters.
Sensitive environments using affected iPhones, iPads, Apple Watches, or HomePod mini devices should treat this as a hardware lifecycle and device-custody issue rather than a normal patch management issue.
Why CISOs should care
This exploit matters because it targets a part of the device that cannot be patched. Unlike operating system vulnerabilities, SecureROM flaws are permanent for affected hardware because the vulnerable code is burned into the chip.
For CISOs, the main concern is not mass remote exploitation. The concern is physical access. If an attacker can obtain an affected device, force DFU mode, and connect the required hardware, the secure boot boundary can be bypassed before Apple’s normal chain of trust begins.
The incident also shows why hardware generation matters in device security policy. A14 and later devices appear to be out of reach for this exploit path, while affected A12 and A13 devices remain permanently exposed. Organizations with higher security requirements may need to prioritize device refresh decisions based on chip generation, not only operating system support.
The public proof of concept also changes the risk profile. Once exploit code is public, the barrier to experimentation and reuse drops, even if the attack still requires physical access.
3 practical actions
- Inventory Apple devices by chip generation: The public proof of concept supports A12, A13, S4, and S5 chips. CISOs should identify affected iPhones, iPads, Apple Watches, and other Apple devices used in sensitive roles and separate them from newer A14-and-later hardware.
- Strengthen device custody controls for sensitive users: The exploit requires physical possession, DFU mode, and a USB-connected microcontroller board. Organizations should reinforce policies for lost or confiscated devices, secure storage, travel risk, and untrusted repair or forensic handling.
- Prioritize hardware refresh for high-security environments: Because SecureROM flaws cannot be patched through software updates, affected devices should be considered for replacement where physical compromise risk is unacceptable. High-risk users should move toward newer hardware not affected by this exploit path.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.