The unusually strong language by Apple suggests a serious security concern, as Apple typically refers to vulnerabilities as “actively exploited” rather than specifying the sophistication or targeting of attacks.
“While the vulnerability requires physical access, sophisticated attackers could combine it with other remote exploits,” said Sunil Varkey, an advisor at Beagle Security. “Public charging stations at airports, malls, or hotels can be modified or compromised to exploit connected devices. Attackers may also plant free chargers, cables, or adapters in public areas or distribute them as promotional gifts. A malicious accessory could force-enable USB data transfer and leverage the vulnerability when plugged in.”
Varkey also noted that repair shops, law enforcement agencies, or adversaries with brief physical access to a locked device could use this flaw to extract sensitive data — without needing the user’s password.
