Someone would need your iPhone, a USB cable, a Raspberry Pi Pico, and access during boot to pull this off. That’s the good news. The bad news: security firm Paradigm Shift has disclosed “ usbliter8,” a BootROM exploit targeting Apple’s
A12 and A13
custom siliconthat no software update will ever fix. The vulnerability affects:
- iPhone XS through the entire iPhone 11 lineup
- iPhone SE 2nd gen
- Select iPads
- Apple Watch Series 4/5
- HomePod mini
The flaw lives in read-only memory — burned into silicon at manufacture, immutable forever after.
What “Unpatchable” Actually Means #
This isn’t a bug Apple can quietly patch overnight — it’s a hardware-level flaw locked into the chip itself.
BootROM is the first code your phone runs at power-on, and Apple can’t rewrite it any more than you can un-bake a cake. The bug sits in a third-party Synopsys USB controller built into A12 and A13 chips. That controller accepts malformed packets smaller than the USB spec allows. Three undersized packets cause a memory pointer to walk backwards into territory it was never meant to touch, according to
Paradigm Shift’s technical writeup. From there, an attacker can write data into sensitive memory regions during the boot process.
The irony stings. A11 devices like the iPhone X escape because Apple’s USB driver manually resets the pointer after each packet. A14 and later escape because Apple finally configured its memory protection unit — called DART — correctly at boot. A12 and A13 sit in the gap: a vulnerable middle generation caught between an old fix and a newer one. Apple essentially threaded a needle badly, and researchers just found the hole.
“Moving to a newer device is the only way to mitigate this vulnerability.” — Privacy Guides
The Real-World Risk Isn’t Zero, But It’s Not a Fire Drill #
Your passcode and encrypted data stay protected — but high-risk users should take this seriously.
If you’re a journalist, activist, or executive whose phone might end up in hostile hands at a border crossing, this matters. For everyone else: the exploit demands physical USB access during DFU mode, relies on specialized microcontrollers rather than a standard Mac or PC, and your passcode and Secure Enclave remain intact. The [ Secure Enclave](https://support.apple.com/en-ca/guide/security/sec59b0b31ff/web) is not directly compromised by usbliter8. Nobody is
[tracking users](https://www.gadgetreview.com/white-house-app-caught-secretly-tracking-users-every-4-minutes)over Wi-Fi.
What usbliter8 actually achieves is breaking Apple’s secure boot chain, allowing unsigned software to load before iOS ever starts. It stamps “PWND” into the device’s USB serial number — a deliberate callback to checkm8, the 2019 exploit that did the same for A5–A11 devices and powered a generation of jailbreak tools. For the jailbreak community, this is like finding a lost vinyl pressing everyone assumed was destroyed.
Paradigm Shift coordinated disclosure with Apple Product Security before publishing. Practical steps:
- Keep a strong passcode
- Avoid plugging into unknown USB accessories during reboot
- Don’t hand a booting device to strangers
If physical-access threats are real in your world, upgrading to A14 or later hardware is the only true fix. Apple can’t patch the chip that already shipped.