Offensive Security Firm Publishes Unpatchable Boot ROM Exploit for Older iPhones

On Friday, Paradigm Shift, an offensive cybersecurity company based in Barcelona that sells hacking tools to government agencies, published a blog post detailing a vulnerability it named "usbliter8." The company also released a proof-of-concept exploit demonstrating how the flaw can be used, according to TechCrunch.

The vulnerability sits in the iPhone's Boot ROM, the first code that executes when a device powers on. It affects Apple's A12 and A13 chips, released in 2018 and 2019 respectively, covering the iPhone XS, XR, and up through the iPhone 11.

Because the Boot ROM is burned directly into the chip at manufacture, the code is immutable. Apple cannot push a software patch. As Paradigm Shift wrote in its blog: "affected users should be aware that migrating to newer hardware remains the most effective mitigation."

Boot ROM exploits are the crown jewels of iPhone hacking. Once an attacker can get past that first layer of defense, they can potentially bypass further security checks and work toward accessing user data. Jailbreak researchers and government-contracted forensics firms have long needed exactly this kind of primitive to build full exploit chains.

Paradigm Shift's publication effectively hands a key building block to anyone researching iOS vulnerabilities, including governments, their contractors, and academic security researchers. What previously required significant reverse-engineering effort is now public knowledge.

This is not a remote hack. Exploiting usbliter8 requires physical access to the phone, meaning an attacker must be able to plug a cable into it. A thief, a border agent, or a law enforcement officer with the device in hand is the threat model here, not a hacker across the internet.

Additionally, usbliter8 alone does not hand over your data. According to TechCrunch, attackers still need to chain additional vulnerabilities together to actually access the encrypted information stored on the phone. The Boot ROM exploit clears the first hurdle. Several more remain.

Companies like Cellebrite and Magnet Forensics, which sell iPhone-cracking services primarily to law enforcement, almost certainly already possess techniques equivalent to usbliter8, according to TechCrunch. The publication doesn't dramatically change what those firms can do. It changes who else can now attempt it.

If you are still on an iPhone 11, XR, or XS and you handle sensitive information — journalist sources, business communications, personal financial data — your risk profile changed. Not catastrophically, but measurably.

Public iPhone jailbreaks were common in the early App Store era but have grown rare over the past decade as Apple hardened iOS. Security researchers who find high-value iOS vulnerabilities now have strong financial incentives not to release them publicly, because doing so leads to Apple patching the flaws and setting researchers back. Paradigm Shift's decision to publish is unusual in that context. The company did not respond to TechCrunch's questions about usbliter8.

The unresolved question is enforcement. Paradigm Shift is a private company operating in Spain. There is no announced legal action, no international cybersecurity body with jurisdiction to compel them to remove the proof-of-concept. Whether other researchers now use it to build a public jailbreak for the iPhone 11 generation, or whether it stays within the government-contractor ecosystem, is genuinely unknown.