Since it requires a cable connection and booting to recovery, it's unlikely to spread without assistance; people rarely connect one computer to another one over a USB cable. The exploit is very serious given the likelihood that someone could do this with minutes access and it could remain resident for a long time. I doubt it's hard to use the access granted here to grab the encryption password and install malware on the victim's system to phone home with the data when the computer is connected to the internet. At least we know about this; had it been someone who doesn't work on security testing with a public interest, it would already be deployed at various countries' border scans.