Unpatchable Exploit Found Apple's A12 and A13 Chips

Researchers at Paradigm Shift discovered a new unpatchable vulnerability, dubbed "usbliter8," in Apple's A12, S4/S5, and A13 chips.

The exploit targets the Boot ROM, a piece of code that's immutable by design so that no one can alter it, even Apple. It's the first piece of code that runs during the boot process so it's security-critical.

While they don't mention other devices than iPhones, multiple devices share the same chip.

The A12 is used in the iPhone XR, iPhone XS/XS Max, iPad Air 3, iPad mini 5, iPad 8, and the second-generation Apple TV 4K.

The S4 chip is used in the Apple Watch Series 4, and the S5 is used in the Apple Watch Series 5, first-generation Apple Watch SE, and the HomePad mini.

The A13 is used in the 9th-generation iPad, iPhone 11/Pro/Pro Max, the second-generation iPhone SE, and the Studio Display.

Of these devices, the iPad Air 3, iPad mini 5, iPad 8, second-generation Apple TV 4K, HomePod mini, iPad 9, iPhone 11's, and Studio Display are still supported by the latest operating system.

They claim that support for A12X/Z chips is also possible but they didn't implement it. This would raise the affected devices to include several iPad Pro models.

If you use one of these devices, moving to a newer device is the only way to mitigate this vulnerability.

The bug targets the USB controller. The chip has a buffer that accepts three Setup packets before writing them out.

The USB specification says that these Setup packets must be exactly 8 bytes, so when all three are moved out of the buffer, the controller tries to reset back to its starting position but subtracting 24 bytes.

However, the controller accepts smaller packets than 8 bytes, meaning that when it subtracts 24, it goes past the starting point and creates a buffer underflow.

The researchers say they believe the flaw is inherent to the controller. It doesn't work on A11 chips because the driver manually resets the address back to the starting position after each packet.

On A12 and A13, USB Device Address Resolution Table (DART) is configured in bypass mode, allowing attackers to overwrite SRAM data. A14 and later fix this issue.

The researchers state that the A12 chip was easier to exploit because A13 has more mitigations:

Several mitigations had to be bypassed along the way. These include heap metadata checksums, which are verified during heap operations, and LR signing during context switches, which occur whenever the USB task is woken up to process USB packets.

The exploit isn't able to touch the Secure Enclave, which has its own security boundary between it and the rest of the device. But the researchers say this exploit opens up new attack vectors to attack it.