Now a new security vulnerability has been discovered by security researchers “Paradigm Shift”, which is similar to “checkm8”. Here too, Apple is unable to fix the vulnerability because the error is in the boot ROM, which cannot be changed after delivery. Affected by the new gap called “usbliter8” are Apple’s A12, A12X/Z, S4, S5 and A13 chips, which the company delivered in the iPhone XS/XR, iPhone 11, Apple Watch Series 4 and 5 as well as the third and fourth generation iPad Pro. These are quite old devices, but several are probably still in active use – especially since the iPhone 11 still supports iOS 26 and iOS 27.
USB controller as a gateway
The “usbliter8” gap takes advantage of a flaw in the software of the USB controller of the above-mentioned chips contained in the boot ROM: In simple terms, it is possible to confuse this by sending data packets that are too small via USB in such a way that it is possible to write to any parts of the RAM – and thus also to execute your own program code.
The hack is quite easy to carry out on the A12 – but on the A13 Apple introduced various new security features, including “Pointer Authentication Codes”. The security researchers from “Paradigm Shift” still managed to execute their own program code on the iPhone through various detours.
Cannot be done remotely
In practice, “usbliter8” means that it is possible to run code on any of the above devices. However, the user data does not seem to be in danger at the moment because the data stored on the SSD is encrypted – and the key is in the secure enclave, which has not yet been cracked.
Furthermore, the attack can only be carried out if you have physical access to the device, as the vulnerability can only be exploited via the USB port – and not, for example, via the Internet. Older or newer chips, such as the A11 or A14, are not affected by this attack vector.