• Category: Apple
  • Status: confirmed
  • Sources: AppleInsider, 9to5Mac, discussion
  • Summary: Researchers at Paradigm Shift published usbliter8 on 2026-06-18, a SecureROM (BootROM) exploit affecting Apple A12 and A13 chips and the S4 and S5 Apple Watch SoCs, after coordinated disclosure with Apple. It chains a USB controller hardware bug with a firmware configuration weakness to run code in the earliest boot stage. The flaw sits in burned-in silicon, so no software update can fix affected devices, which include iPhone XS through iPhone 11, the iPhone SE 2nd generation, some iPads, Apple Watch Series 4 and 5, and the HomePod mini. A full write-up and a working proof of concept are public.
  • Comments: The exploit requires physical possession, DFU mode, and a dedicated RP2350-based microcontroller over USB, then completes in under two seconds. No CVE, CVSS score, Apple advisory, or in-the-wild exploitation had been reported as of 2026-06-19.
  • Why it matters: An unpatchable boot-chain compromise across a large installed base of still-used iPhones and Watches is a permanent local-access jailbreak and forensic-extraction vector, bounded by the physical-access requirement.

Send feedback on this story