Barcelona Spyware Firm Publishes Unpatchable Boot ROM Exploit for Older iPhones, Opening Path to Jailbreaks

An offensive security firm has published an unpatchable Boot ROM exploit for older iPhones, and the source of that disclosure has come into sharp focus.

Who Published This and Why It Matters

The company behind the release is Paradigm Shift, a Barcelona-based firm that, according to TechCrunch, sells spyware and hacking tools to government agencies. On Friday, Paradigm Shift published a blog post naming the vulnerability "usbliter8" and released a proof-of-concept exploit alongside it.

This was not a good-faith disclosure from an independent academic researcher. It came from a commercial vendor in the government hacking market, which raises a pointed question: why publish now, and for whom?

What the Exploit Actually Does

The Boot ROM is the first code an iPhone executes at power-on. It is burned directly into the chip and cannot be updated remotely or via a software patch. A flaw there is permanent for every device running that hardware.

Usbliter8 allows an attacker with physical access — meaning a USB cable connected to the phone — to exploit this first layer of defense, bypass further security checks, and potentially reach the data stored on the device. Crucially, according to TechCrunch, hackers still need to chain additional vulnerabilities together to fully access user data. This is not a one-step remote hack. Physical possession of the phone is a prerequisite.

Affected chips are the A12 (released 2018) and A13 (released 2019), found in the iPhone XS, iPhone XR, and iPhones up through the iPhone 11. Newer devices are not affected.

Patching Is Not an Option

Paradigm Shift stated in its blog post that "as these vulnerabilities reside in immutable code, affected users should be aware that migrating to newer hardware remains the most effective mitigation." There is no software fix coming. Apple cannot push an update that rewrites the Boot ROM. For anyone still carrying an XS, XR, or iPhone 11, the vulnerability is permanent.

What This Enables

TechCrunch notes that public iPhone jailbreaks — which require exactly this kind of Boot ROM access as a foundation — were relatively widespread in the past but have become rarer in the last decade. Usbliter8 reopens that pathway for researchers, governments, and their contractors who need a low-level entry point to chain further exploits.

Companies like Cellebrite and Magnet Forensics, which build iPhone-cracking tools for law enforcement, almost certainly already possess similar capabilities internally, according to TechCrunch. What changes with a public release is that the technique is now available to a far wider set of actors — including those without Cellebrite's licensing agreements or legal accountability.

The Legitimate Concern Worth Stating Plainly

Some in the security research community argue that publishing these details serves the public interest: it forces transparency about what governments can already do, gives journalists and civil liberties organizations concrete technical information to push back against surveillance overreach, and motivates Apple to harden future chip designs. Law enforcement agencies in democratic countries operate under legal frameworks and court oversight, and tools like these have genuine applications for investigating serious crimes.

The counterweight is that once a proof-of-concept is public, legal frameworks do not constrain every actor who downloads it. The exploit now exists in the wild, attributed to a company with no obligation to limit its use to lawful investigations.

Who Is Still at Risk

Apple sold iPhones across the A12/A13 era covering devices from 2018 through 2019. Not everyone upgrades on a two- or three-year cycle. Users in lower-income countries, people who buy refurbished devices, and anyone who simply sees no reason to replace a working phone are the ones carrying permanently vulnerable hardware.

For them, the practical mitigation is not a patch. It is either a new phone or an awareness that physical seizure of their device — by border agents, law enforcement, or anyone else who gets hold of it — now comes with a known, working exploit pathway that Paradigm Shift has handed to the world.

Notably, Paradigm Shift did not respond to a series of questions from TechCrunch related to usbliter8. The unresolved question is whether Apple will publicly acknowledge the scope of affected devices and the realistic threat level for ordinary users, or whether silence will be the extent of its public response.