A Barcelona-based offensive security company called Paradigm Shift published a working exploit on Friday, June 20, for a BootROM vulnerability it calls “usbliter8” – an unpatchable hardware flaw in the USB controller of Apple’s A12 and A13 chips. The affected devices span a generation of hardware that includes the iPhone XS, XR, 11 series, second-generation iPhone SE, iPad Air 3, iPad mini 5, iPad 8 and 9, and all Apple Watch models with the S4 and S5 chips. The flaw is burned into the silicon at manufacture. No iOS update can touch it. Apple confirmed it worked with Paradigm Shift through coordinated disclosure. YourNewsClub places the “coordinated disclosure” detail as the most practically significant sentence in the announcement: Apple cooperated, which means the company had advance knowledge of the flaw and chose publication over secrecy. That is the correct approach. It also means every governments with a jailbreak programme now has a public proof-of-concept to accelerate their own work.
The technical root cause is specific. A hardware bug in the Synopsys DWC2 USB controller stores incoming USB Setup packets via DMA and resets its write pointer on the fourth packet by decrementing it by a fixed 24 bytes, while smaller-than-standard packets increment it by only the actual bytes written. That mismatch accumulates into a repeatable buffer underflow, stepping the write pointer backwards through memory 12 bytes at a time. On A12 and A13 chips, Apple configures the USB DART – its IOMMU – in bypass mode during BootROM execution, so the underflowing pointer can reach and overwrite arbitrary SRAM. On A11 and earlier, the driver manually resets the DMA address after every packet, preventing accumulation. On A14 and later, Apple corrected the DART configuration. The window of affected hardware covers 2018-2020 production.
The predecessor exploit, checkm8, discovered in 2019, became the foundation for jailbreak tools still in active use and the primary technique used by mobile forensics companies including Cellebrite and Magnet Forensics. usbliter8 extends that capability to the next chip generation. An important qualifier: the exploit requires physical access, DFU mode, and a dedicated hardware board connected via USB. It does not operate remotely. The Secure Enclave – which holds passcodes, biometric data, and encryption keys – is not directly compromised. But Paradigm Shift stated that the exploit opens new attack vectors toward the Secure Enclave, meaning it is the enabling condition for further work, not a finished intrusion tool. YourNewsClub maps the checkm8 precedent as the relevant baseline: that exploit took approximately 18 months to mature into production-grade jailbreak tools. usbliter8 is now public. The same timeline likely applies.
Alex Reinhardt, who tracks financial systems and settlement infrastructure through digital protocols, places the commercial context: “Cellebrite and Magnet Forensics built significant contract revenues on checkm8 and are certainly working on usbliter8 implementations already. The question for enterprise security teams is not whether this exploit will appear in commercial forensics tools – it will – but whether their device refresh cycles will get ahead of it.” Jessica Larn, who studies macro-level technology policy and infrastructure impact, draws the policy dimension: “An unpatchable hardware vulnerability published as open source proof-of-concept is a category of disclosure that governments treat differently than patchable software flaws. The intelligence community uses hardware-level iPhone access commercially. usbliter8 lowers the barrier to that capability and places it in public reach.”
The unusual part is that the iPhone 11 – affected by usbliter8 through its A13 chip – remains on Apple’s current support roster and will continue receiving iOS updates including iOS 27 this autumn. For as long as Apple supports it, users who own that device carry an unpatchable hardware vulnerability with a published proof-of-concept. Your News Club logs the iPhone 11’s continued software support status as the most commercially significant ongoing factor in the usbliter8 story, because it determines how large the population of vulnerable devices in active use remains through 2027.
YourNewsClub scopes the forensics market as the most immediately affected commercial sector: every vendor that built Cellebrite-style capability on checkm8 now has a clear development roadmap for the next chip generation, and enterprises that have not refreshed A12 and A13 devices to A14 or newer should treat that as an urgent risk management question.