Overview
- Paradigm Shift published a technical write‑up and working proof‑of‑concept on Thursday after coordinated disclosure to Apple Product Security, making the exploit and details public.
- The flaw sits in immutable SecureROM (BootROM) on A12 and A13 chips and stems from a hardware bug in the Synopsys DWC2 USB controller that lets crafted, unusually small USB setup packets force DMA writes into protected SRAM.
- Affected hardware includes many iPhone, iPad and Apple Watch models built on A12, A13, S4 and S5 silicon such as the iPhone XS/XR and iPhone 11 families as well as several iPad and Watch generations.
- Exploitation needs physical access and DFU‑mode USB connection to a specialized board, can deliver early boot (EL1) code execution to patch DFU and boot unsigned iBoot images, and does not directly disclose Secure Enclave contents though it widens attack paths against it.
- Because BootROM is baked into the chip, Apple cannot patch the flaw with software so practical mitigations are upgrading to A14‑or‑newer devices, stricter device custody and inventory for sensitive roles, and avoiding DFU over untrusted USB hosts.