New Unpatchable Exploit Targets Apple Devices With A12 and A13 Chips (9to5mac.com)
(Friday June 19, 2026 @05:00PM (BeauHD)
from the time-to-upgrade dept.)
- Reference: 0183996028
- News link: https://it.slashdot.org/story/26/06/19/1723242/new-unpatchable-exploit-targets-apple-devices-with-a12-and-a13-chips
- Source link: https://9to5mac.com/2026/06/18/new-unpatchable-exploit-targets-apple-devices-with-a12-and-a13-chips/
Researchers have [1]disclosed a new unpatchable BootROM exploit [2]affecting Apple devices with A12, A13, S4, and S5 chips . The attack requires physical USB access and DFU mode, but can let an attacker run code before iOS loads, bypass signature checks, and boot modified software. 9to5Mac reports the details:
> In a highly detailed technical post published today, the Paradigm Shift Team details usbliter8, a new exploit that "leverages both a hardware bug in the USB controller and a specific configuration flaw present in the device firmware" and cannot be patched. The PS Team explains that ahead of today's disclosure, it shared its findings and worked with Apple Product Security to coordinate the release. The researchers also thanked Apple's security team for its "prompt response, constructive engagement, and cooperation throughout" the process.
>
> In a nutshell, this bug affects the following Apple SoCs: A12, S4, S5, and A13. [...] They add that "technical support for A12X/Z is possible," but "it is not currently implemented." That could add the 2018 and 2020 iPad Pro lineups to the list. The way usbliter8 works is: it sends specially crafted data to a device over USB while it is in DFU mode, confusing the USB controller and causing it to write data to the wrong part of memory. That gives an attacker with physical access to the device control over its startup process. From there, they can run their own code before iOS loads, bypass signature checks, and boot modified system software.
>
> Importantly, the exploit does not affect or compromise the device's Secure Enclave, which in practice means that data such as passcodes and encrypted user data remain secure. That said, PS Team says that "although usbliter8 doesn't affect SEP itself, it opens up wider attack vectors to compromise the Secure Enclave," adding that "by releasing this exploit publicly, we hope to highlight the real-world impact of these hardware flaws and contribute to a broader understanding of modern SecureROM security." [...] Given that this is also an unpatchable exploit, the researchers note that "affected users should be aware that migrating to newer hardware remains the most effective mitigation."
[1] https://ps.tc/pages/blog-usbliter8.html
[2] https://9to5mac.com/2026/06/18/new-unpatchable-exploit-targets-apple-devices-with-a12-and-a13-chips/
> In a highly detailed technical post published today, the Paradigm Shift Team details usbliter8, a new exploit that "leverages both a hardware bug in the USB controller and a specific configuration flaw present in the device firmware" and cannot be patched. The PS Team explains that ahead of today's disclosure, it shared its findings and worked with Apple Product Security to coordinate the release. The researchers also thanked Apple's security team for its "prompt response, constructive engagement, and cooperation throughout" the process.
>
> In a nutshell, this bug affects the following Apple SoCs: A12, S4, S5, and A13. [...] They add that "technical support for A12X/Z is possible," but "it is not currently implemented." That could add the 2018 and 2020 iPad Pro lineups to the list. The way usbliter8 works is: it sends specially crafted data to a device over USB while it is in DFU mode, confusing the USB controller and causing it to write data to the wrong part of memory. That gives an attacker with physical access to the device control over its startup process. From there, they can run their own code before iOS loads, bypass signature checks, and boot modified system software.
>
> Importantly, the exploit does not affect or compromise the device's Secure Enclave, which in practice means that data such as passcodes and encrypted user data remain secure. That said, PS Team says that "although usbliter8 doesn't affect SEP itself, it opens up wider attack vectors to compromise the Secure Enclave," adding that "by releasing this exploit publicly, we hope to highlight the real-world impact of these hardware flaws and contribute to a broader understanding of modern SecureROM security." [...] Given that this is also an unpatchable exploit, the researchers note that "affected users should be aware that migrating to newer hardware remains the most effective mitigation."
[1] https://ps.tc/pages/blog-usbliter8.html
[2] https://9to5mac.com/2026/06/18/new-unpatchable-exploit-targets-apple-devices-with-a12-and-a13-chips/
Apple abandons old hardware with abandon (Score:2)
by TheMiddleRoad ( 1153113 )
They never patched the Broadcom security hole in older devices, making tons and tons of extra ewaste.
Not quite accurate (Score:2)
by CEC-P ( 10248912 )
"migrating to newer hardware remains the most effective mitigation"
"Oh yeah?" - person with epoxy resin mix.
Re: Not quite accurate (Score:2)
by GrahamJ ( 241784 )
That will make it rather difficult to charge your iPad.
Re: (Score:2)
by omnichad ( 1198475 )
Even safer!
The Year of Linux on iPhone? (Score:2)
by devloop ( 983641 )
Will this create an opportunity to have Linux ported to iPhones and other vulnerable devices?
Fan of owning your own device (Score:4, Interesting)
I am fan of owning your own device so I generally consider a positive thing when this stuff happens, provide the exploit path requires physical device access that inst possible to do superstitiously, IE tether then thing and put it in DFU mode, with the full restart that implies, vs pairing some bluetooth thing or something and exploiting the running OS.
Yeah I get it it means it isnt secure to travel with it - fair argument.
This though is almost cruel to release. Most of the affected devices are old enough Apple will probably just move up their end of support plans for them. Probably harms more people trying to save a buck and hang on to old kit, than helps people who might like to play with it without the lock down..
Re: (Score:2)
Yeah jailbreaks are better when you can patch the hole behind you, but the fact this requires physical access makes it otherwise acceptable for many people.
Re: (Score:2)
I agree, but unfortunately there doesn't seem to be much of an iPhone jailbreaking community anymore. Which is too bad... jailbreak tweaks introduced a lot of the more innovative features which eventually found their way into iOS proper.
Re: (Score:2)
> I agree, but unfortunately there doesn't seem to be much of an iPhone jailbreaking community anymore. Which is too bad... jailbreak tweaks introduced a lot of the more innovative features which eventually found their way into iOS proper.
Maintaining a reasonably secure jaibroken iPhone was a pain when I did it a long time ago. That is probably why. Eventually I decided fighting my phone vendor was silly and switched to Android/CM/Lineage.
Re: (Score:2)
Oh for sure! Running any of the jailbreaks for iPhones has mostly meant installing a huge heap of packages from Gwd Only Knows Where
Useful for having a run-time environment to study an application from you do plan to use on an uncompromised device, perhaps for reusing older hardware for some other non security critical use case, but no frigging way would I consider using a jailbroken phone as my actual phone, with real contacts and access to real data and accounts I care about on it.
Re: (Score:2)
Instead, my first thought was, "Oh, this is probably handy for jailbreakers".
Apple buyback? (Score:2)
Where's the Apple buyback or warranty fix for defective devices?
They are out of support warranty period, though for fundamental unpatchable security holes a 10 year window of buyback is needed.
And buyback at a percentage of the most recent equivalent device's retail price, not a pro-rated 3% off of buying a new device.
The EU has laws about fitness of purpose.
Re: (Score:2)
We'd still be way way better off if we could just get devices that let us run our own stuff in the first place.
Doing it this way forces people to choose between having usable or secure devices.
Re: (Score:2)
Enjoy! [1]https://pine64.org/devices/pin... [pine64.org]
[1] https://pine64.org/devices/pinephone/
Re: (Score:2)
If they could be bothered to make one with as much power as a 5 year old flagship i'd probably already own one.
Re: (Score:2)
You can own it and with a little work I can pwn it.
Re: (Score:2)
True. All you have to do is not get shot while stealing it. Easy peazy!
superstitiously?surreptitiously (Score:2)
I guess it would be possible to do it superstitiously, perhaps with the aid of some ghosts.
Re: (Score:2)
Sure, but border guards and spooks probably already had this exploit so the difference is minor. Their PoC page also says there's no access to Secure Enclave so perhaps the damage is minimal?
Curiously I saw some commits for an iPhone platform in LineageOS a month or two ago. Perhaps an option for EoL Apple hardware with working exploits.