RSS

Apple A12 and A13 Chips: New Unpatchable Exploit

tosh1 pts0 comments

Apple's A12 and A13 Chips Facing New Unpatchable Exploit - MacRumors

Skip to Content

Apple's A12 and A13 Chips Facing New Unpatchable Exploit

Thursday June 18, 2026 9:17 am PDT by Hartley Charlton<br>Security research firm Paradigm Shift today published details of a new BootROM vulnerability affecting Apple's A12 and A13 chips, along with a working proof-of-concept exploit named "usbliter8."

The BootROM, or SecureROM, is the first code an iPhone runs when it powers on. Because it is baked directly into the chip at manufacture, any vulnerability found there cannot be fixed with a software update, meaning affected devices will remain vulnerable for the rest of their lives.

The last publicly known BootROM exploit of this kind was "checkm8," released in 2019 which affected devices from the iPhone 4S through to the iPhone X. usbliter8 now extends that history to the next generation of chips, covering the iPhone XS through to the iPhone 11 series.

The exploit works by taking advantage of a bug in the USB controller built into Apple's chips. When an iPhone receives USB data during startup, the controller uses a memory buffer to store incoming packets. Paradigm Shift found that by sending a specific sequence of unusually small packets, they could manipulate an internal hardware pointer in a way that causes it to walk backwards through memory, allowing data to be written to locations it should never reach. The researchers say this appears to be a bug in the USB controller hardware itself, not in Apple's software.

The A11 chip, used in the iPhone X, is not affected because its USB driver manually resets the pointer after each packet. A14 and later chips are also safe, as they configure a memory protection feature correctly at the BootROM level. The A12 and A13 sit in a vulnerable middle ground between the two.

On A12 devices, gaining code execution is relatively straightforward. On A13 devices, things are considerably harder because Apple introduced a security feature called Pointer Authentication Codes (PAC), which detects and blocks certain types of memory tampering. Paradigm Shift says working around PAC on the A13 required a lengthy multi-step process before the researchers could finally take control of the processor.

Once in control, the exploit installs a custom handler that survives a device restart and adds two capabilities: temporarily lowering the device's security settings, and booting unsigned software without any verification checks. It also injects the traditional "PWND" string into the iPhone's USB serial number as a signal that the device has been compromised, a convention that carries over from checkm8 and earlier exploits.

Paradigm Shift notes that while usbliter8 does not affect the Secure Enclave directly, a BootROM compromise of this kind opens up wider avenues for attacking it. The firm says it reported its findings to Apple Product Security before publication and worked with Apple on coordinated disclosure. The full proof-of-concept code has been published alongside the write-up at ps.tc.

Tag: Apple Security<br>Related Forum: iPhone

[ 70 comments ]

Get weekly top MacRumors stories in your inbox.<br>Leave this field empty<br>Popular Stories

New 'Apple One' Perk Extends to Chase's Sapphire Reserve Credit Card<br>Tuesday June 16, 2026 6:26 am PDT by Joe Rossignol<br>Yesterday, we reported that Chase's Sapphire Preferred credit card ($95 annual fee) now offers a complimentary one-year Apple TV streaming subscription, or a $7.50/month discount on an active Apple One subscription instead. It turns out that the Apple One discount now extends to Chase's premium Sapphire Reserve credit card too ($795 annual fee). The Sapphire Reserve has offered free...<br>Read Full Article &bull; 27 comments

Chase Sapphire Preferred Card Introduces New Perk for Apple Customers<br>Monday June 15, 2026 12:07 pm PDT by Joe Rossignol<br>Chase this week announced new perks for its Sapphire Preferred credit card, and one of them is a complimentary one-year Apple TV streaming subscription. To get the free year of Apple TV, which typically costs $12.99 per month in the U.S., you must activate the card by December 31, 2026. If you are already subscribed to Apple TV directly through Apple, the complimentary subscription from...<br>Read Full Article &bull; 40 comments

iOS 27 Adds Major New Feature to CarPlay<br>Wednesday June 17, 2026 9:10 am PDT by Joe Rossignol<br>Last year, Apple revealed that it was planning to allow CarPlay users to watch video via AirPlay in their vehicles while they are not driving, and the company finally provided more specific details about this functionality at WWDC 2026. In a WWDC 2026 video aimed at developers, Apple said the CarPlay video feature is available in new vehicles that support it. When playing a video in an...<br>Read Full Article

Top Rated Comments

Shin-Ra<br>13 hours ago at 10:06 am

Here is the complete list of Apple devices powered by the A12, A12X, A12Z, and A13 chips, ordered chronologically by their...

apple iphone chips exploit sapphire card

Related Articles

Apple WWDC 2026 Livestream

nextstep32 ptsapple stream video event live feed

Claude Fable 5

Philpax30 ptsfable claude mythos model models capabilities

US Government directive to suspend access to Fable 5 and Mythos 5

Dylan131224 ptsfable government anthropic jailbreak access mythos

German ruling declares Google liable for false answers in AI Overviews

ahlCVA15 ptsgoogle court search overviews content users

Britain Became as Poor as Mississippi

SanjayMehta15 ptsbritain mississippi next financial crisis self
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.