Overview
- Paradigm Shift published a technical write‑up and working proof‑of‑concept called usbliter8 on Thursday and told Apple Product Security before releasing the materials.
- The researchers say the root cause is a hardware bug in the Synopsys DWC2 USB controller that lets specially crafted very small USB packets corrupt an internal pointer and write into protected memory.
- Usbliter8 runs before the operating system by exploiting Device Firmware Update (DFU) over USB so an attacker needs physical access to a device in DFU mode to carry out the attack.
- The exploit affects devices using A12 and A13 silicon including many iPhone XS/XS Max/XR and iPhone 11 models plus some iPads and watches, and it does not directly break the Secure Enclave but can boot unsigned code until the device is rebooted.
- Because the vulnerable BootROM code is burned into the chip the only full mitigation is moving to A14‑or‑newer hardware and users should protect devices from unattended physical access while the disclosure fuels further research and potential jailbreak tools.