>**Soft-lock bypass on Model One**. To carry out this exploit a malicious actor would require malware installed on the user’s computer. Then, with physical access to a device which has been left plugged in to the computer, an attacker could confirm any single bitcoin transaction without needing to enter a PIN.
If Trezor is unlocked, then ANY transaction can be made without entering PIN (if you have access to Trezor, physicly). Its normal use.What you mean “without needing a PIN”? If there is PIN requirement, then its ALWAYS asked for PIN, right? On init. (cold plug in), or after timeout (default is 5min).