Vulnerabilities in Exynos modems allow remote code execution - Google Pixel, Samsung and Vivo phones affected

[HenrySalayne]

Summary

Project Zero, a team of security researchers, has found several vulnerabilities in Exynos modems. Some of the vulnerabilites allow an attacker to remotely compromise the phone without user interaction. A wide range of popular phones are affected like Samsung's S22 and A53, Google's Pixel 6 and Pixel 7 and even cars using the Exynos Auto T5123 chipset.

 

Quotes

Quote

Note: Until security updates are available, users who wish to protect themselves from the baseband remote code execution vulnerabilities in Samsung’s Exynos chipsets can turn off Wi-Fi calling and Voice-over-LTE (VoLTE) in their device settings. Turning off these settings will remove the exploitation risk of these vulnerabilities.

Quote

Affected devices

Samsung Semiconductor's advisories provide the list of Exynos chipsets that are affected by these vulnerabilities. Based on information from public websites that map chipsets to devices, affected products likely include:

 

• Mobile devices from Samsung, including those in the S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12 and A04 series;
• Mobile devices from Vivo, including those in the S16, S15, S6, X70, X60 and X30 series;
• The Pixel 6 and Pixel 7 series of devices from Google; and
• any vehicles that use the Exynos Auto T5123 chipset.

Quote

The four most severe of these eighteen vulnerabilities (CVE-2023-24033 and three other vulnerabilities that have yet to be assigned CVE-IDs) allowed for Internet-to-baseband remote code execution. Tests conducted by Project Zero confirm that those four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim's phone number. With limited additional research and development, we believe that skilled attackers would be able to quickly create an operational exploit to compromise affected devices silently and remotely.

My thoughts

If you have an affected device, update it now or follow the researchers' advice and turn off WiFI calling and VoLTE.

 

I think it is alarming that there are no updates for most devices after 90 days. Contrary to their general policy, Project Zero even decided to withhold four vulnerabilities from disclosure. This is only the seventh time that happened with another popular example being Spectre and Meltdown. It really shows the gravity of the situation.

 

Sources

Original post by Project Zero:

https://googleprojectzero.blogspot.com/2023/03/multiple-internet-to-baseband-remote-rce.html

List of affected chipsets (Samsung):

https://semiconductor.samsung.com/support/quality-support/product-security-updates/

Tweet regarding current state of patches:

https://twitter.com/maddiestone/status/1636469657136959488

Additional articles:

https://9to5google.com/2023/03/16/google-exynos-modem-vulnerabilities/

https://www.androidpolice.com/exynos-modem-vulnerability-affected-pixel-6-7/

[Zodiark1593]

The most severe of these appears to allow for zero-click delivery, requiring literally no user interaction to deliver the payload. Needless to say, that’s pretty concerning. 
 

One other problem here is that, many cell providers are in the process of, or have, decommissioned their 3G and 2G networks. To make a phone call on 4G requires VoLTE to be enabled. Depending on area and provider, you have to actually shut off the thing that makes your device a phone. 

[HenrySalayne]

10 minutes ago, Zodiark1593 said:

One other problem here is that, many cell providers are in the process of, or have, decommissioned their 3G and 2G networks. To make a phone call on 4G requires VoLTE to be enabled. Depending on area and provider, you have to actually shut off the thing that makes your device a phone. 

In Europe GSM (2G) is still mostly in use while 3G is disappearing. But you are right. In the US T-Mobile is the last carrier to support GSM (if the Wikipedia article is accurate).

[LAwLz]

35 minutes ago, HenrySalayne said:

I think it is alarming that there are no updates for most devices after 90 days. 

You sure about that?

It seems like some of the exploits are already patched in the March security update, which has been released to Pixel phones as well as several Samsung phones.

I am not sure if all vulnerabilities are patched though since Google is being a bit light on the details.

 

 

35 minutes ago, HenrySalayne said:

Contrary to their general policy, Project Zero even decided to withhold four vulnerabilities from disclosure. This is only the seventh time that happened with another popular example being Spectre and Meltdown. It really shows the gravity of the situation.

I don't think this is that big of a deal, and it's most certainly not as serious as Spectre or Meltdown.

[WereCat]

From your source:

 

"We expect that patch timelines will vary per manufacturer (for example, affected Pixel devices have already received a fix for CVE-2023-24033 in the March 2023 security update)."

 

From Android security bulletin:

https://source.android.com/docs/security/bulletin/asb-overview

Can't find it there. I checked February and January as well but nothing.

 

From Pixel security bulletin:

https://source.android.com/docs/security/bulletin/pixel

(March data not available yet)

February and January, no CVE-2023-24033 mentioned.

 

My country is just starting to roll out voLTE and most phones if not all sold there have it disabled by default. Many don't even have the setting (visibly) available without doing some software shenanigans to get to it.

 

EDIT:

nvm found the March data trough Google and it's mentioned there as fixed

https://source.android.com/docs/security/bulletin/pixel/2023-03-01

 

[Doobeedoo]

My Galaxy S6 is safe, hue.

[HenrySalayne]

1 hour ago, LAwLz said:

You sure about that?

It seems like some of the exploits are already patched in the March security update, which has been released to Pixel phones as well as several Samsung phones.

I am not sure if all vulnerabilities are patched though since Google is being a bit light on the details.

One researcher tweeted about it:

I haven't found a conclusive list, yet. I'd imagine going through the patch notes of all affected devices will take some time.

[HenrySalayne]

1 hour ago, LAwLz said:

I don't think this is that big of a deal, and it's most certainly not as serious as Spectre or Meltdown.

I did not want to make it look like it is as serious as Spectre and Meltdown; however, they are the most famous example from that list.

 

We are still at an early stage here, but 18 vulnerabilities at once are quite a few. This is not my field of expertise, thus I don't know if this is an isolated incident or just the beginning.

[Uttamattamakin]

Who cares if it is a "big deal" security vulnerabilities are a big deal if it is your phone.  People put their lives on these things.  All any of us can do is be vigilant and keep up with patches.   What really worries me is this. 

 

2 hours ago, Zodiark1593 said:

The most severe of these appears to allow for zero-click delivery, requiring literally no user interaction to deliver the payload. Needless to say, that’s pretty concerning. 

So basically you phone can get nuked from orbit if it has one of these problems.  No matter how security conscious you are.  IF someone really needs their phone to be a cell phone even when they are in motion then they may want to switch to a cheap pre paid or an old phone they have for that.  If not a lot of carriers support wifi calling.  In most US locations there is some kind of wifi network.  The real headaches will be in parts of the world where the cell network is the only network.  No modem means your phone is a total brick.

[Zodiark1593]

8 minutes ago, Uttamattamakin said:

Who cares if it is a "big deal" security vulnerabilities are a big deal if it is your phone.  People put their lives on these things.  All any of us can do is be vigilant and keep up with patches.   What really worries me is this. 

 

So basically you phone can get nuked from orbit if it has one of these problems.  No matter how security conscious you are.  IF someone really needs their phone to be a cell phone even when they are in motion then they may want to switch to a cheap pre paid or an old phone they have for that.  If not a lot of carriers support wifi calling.  In most US locations there is some kind of wifi network.  The real headaches will be in parts of the world where the cell network is the only network.  No modem means your phone is a total brick.

Pretty much.

 

Apple had a really nasty zero-click affecting the iPhone line, that involved sending a malicious MMS, and kind of running a turing-complete computer within iMessage.

 

That had been patched awhile back, though it should serve a reminder that there exists (albeit, mercifully rare) exploits that don't give a damn how security conscious you are, or that you don't download "sketchy" applications. In these cases, your consent is not a factor.

[wanderingfool2]

3 hours ago, HenrySalayne said:

I think it is alarming that there are no updates for most devices after 90 days. Contrary to their general policy, Project Zero even decided to withhold four vulnerabilities from disclosure. This is only the seventh time that happened with another popular example being Spectre and Meltdown. It really shows the gravity of the situation.

It's a hardware issue so ultimately it's not surprising that it's taking longer to fix than standard exploits.  Even with the one exploit Google managed to patch so far has only been out for less than 20 days (not enough time for the majority to patch).

 

Since it's also an exploit of a hardware chip, it also means that lots more manufacturers are involved so the general deployment is slow.  iirc Project Zero actually without vulnerabilities at the request of manufacturers when there is a valid reason for items not to be patched within that timeline (including but not limited to the complexity of fixing the vulnerability)

 

What is concerning though is that only one of the four has been publicly stated as being patched, so it makes one wonder if there will have to be a massive recall on all devices to fix the underlying bug if the other three patches can't be fixed (specifically the cars that use these chips as most of the carmakers aren't known for their prowess in software/hardware or OTA updates/speedy updates).  I think for the vehicles Volkswagon is the only one that has documented use of the chips so far (from what I have seen, most others use Qualcomm/Snapdragon chips)

 

3 hours ago, LAwLz said:

You sure about that?

It seems like some of the exploits are already patched in the March security update, which has been released to Pixel phones as well as several Samsung phones.

I am not sure if all vulnerabilities are patched though since Google is being a bit light on the details.

Well they haven't patched it for Google Pixel 6 yet apparently (from some of the articles I've seen), there is also the issue that the patch only covered one of the four CVE's at least mentioned.  Maybe it did patch them all, but at least the wording appears as though only the one was patched.

 

3 hours ago, LAwLz said:

I don't think this is that big of a deal, and it's most certainly not as serious as Spectre or Meltdown.

I would say it depends, the pz blog implies the release of information would be enough to create a remote exploit...when it involves vehicles that could be an issue.  If lets say exploiters end up effectively war-dialing the exploit it wouldn't be good if they manage to brick a cars features (in case of the auto chips, it provides support for the cameras onboard the vehicle).  So these exploits could have actual deadly consequences.  Add on the fact that it also affects phones, and that many device manufactures slowly release the security updates and it could become a real issue.

 

While it's not mentioned, devices such as POS terminals might be affected (unsure though and don't feel like researching it)

 

1 hour ago, HenrySalayne said:

We are still at an early stage here, but 18 vulnerabilities at once are quite a few. This is not my field of expertise, thus I don't know if this is an isolated incident or just the beginning.

I would suspect that of the 4 critical vulnerabilities they probably share a lot in common with each other...just maybe slight variations.  It's also about them understanding the device better so they can figure out more vulnerabilities.

 

e.g. CVE-2023-26072 and CVE-2023-26073 are pretty identical in what they cover a heap overflow resulting from reading the emergency list...and the other 2 listed I suspect share similar code (they forgot to effectively sanitize their inputs)

[LAwLz]

2 hours ago, HenrySalayne said:

One researcher tweeted about it:

I haven't found a conclusive list, yet. I'd imagine going through the patch notes of all affected devices will take some time.

It's important to be specific of what we are talking about here and not jump to conclusions. Like usual when it comes to security, things aren't black and white.

 

There are 18 vulnerabilities and at least three OEMs.

The tweet from Maddie could mean anything from:

All users are vulnerable to all vulnerabilities and the world is ending

to:

2 people are still missing the patch for 1 of the vulnerabilities.

 

 

What we do know is that at the least CVE-2023-24033 has been included in the March security update, and that's one of the most serious ones. I checked my phone (S22) and it has the march update, and I have confirmed that at least the Pixel 7 also have those updates already rolled out.

 

 

 

1 hour ago, Uttamattamakin said:

Who cares if it is a "big deal" security vulnerabilities are a big deal if it is your phone.  People put their lives on these things.  All any of us can do is be vigilant and keep up with patches.   What really worries me is this. 

This is a very bad mentality to have. It is very important to not look at the world in black and white terms, especially not when it comes to security.

Not all vulnerabilities, even on phones, are serious. It's a spectrum, and some of these vulnerabilities are on the more serious side of things.

 

Becoming hysterical will not help the situation.

[HenrySalayne]

5 minutes ago, LAwLz said:

What we do know is that at the least CVE-2023-24033 has been included in the March security update, and that's one of the most serious ones. I checked my phone (S22) and it has the march update, and I have confirmed that at least the Pixel 7 also have those updates already rolled out.

Are you sure? I found it only in the Pixel specific section of the link @WereCat provided. I did not find any mention on the "Android Security Bulletin—March 2023" page.

 

[LAwLz]

11 minutes ago, wanderingfool2 said:

Well they haven't patched it for Google Pixel 6 yet apparently (from some of the articles I've seen), there is also the issue that the patch only covered one of the four CVE's at least mentioned.  Maybe it did patch them all, but at least the wording appears as though only the one was patched.

The other 3 severe vulnerabilities do not have any CVE yet so we can't track if they have been fixed or not.

It might be fixed, just that they don't have a way of tracking it yet. Or it might not be fixed yet but since we don't even know what the vulnerabilities are I think we should calm down a bit.

 

What we do know right now is that there are 4 vulnerabilities that are very serious (note: "serious" does not mean you should become hysterical and think the world is ending).

One is already fixed and the patch is already being rolled out to devices. When you get it depends on which phone you got.

The other three seem to be very new and we have no way of tracking them. We have zero information about them and as a result I don't think it is a good idea to panic. 

 

Also, I think the wording makes it sound like they have patched more than one of the vulnerabilities:

Spoiler

As always, we encourage end users to update their devices as soon as possible, to ensure that they are running the latest builds that fix both disclosed and undisclosed security vulnerabilities.

To me that sounds like fixes for the currently undisclosed vulnerabilities might be included in the patch. It's just that since it hasn't been disclosed yet, they won't tell you if it's fixed or not, because doing so would reveal information about it and indirectly disclose it. This is pretty standard for security vulnerabilities.

 

 

19 minutes ago, wanderingfool2 said:

I would say it depends, the pz blog implies the release of information would be enough to create a remote exploit...when it involves vehicles that could be an issue.  If lets say exploiters end up effectively war-dialing the exploit it wouldn't be good if they manage to brick a cars features (in case of the auto chips, it provides support for the cameras onboard the vehicle).  So these exploits could have actual deadly consequences.  Add on the fact that it also affects phones, and that many device manufactures slowly release the security updates and it could become a real issue.

 

While it's not mentioned, devices such as POS terminals might be affected (unsure though and don't feel like researching it)

I feel like you are catastrophizing this. We literally have zero information about this and you are jumping to "this will cause cars to run people over and people will die!!!". Calm down. 

This is nowhere near as bad as Spectre and Meltdown. Not only is this far more limited in scope than Spectre and Meltdown, this only affects phones and some cars with Exynos modems. Meanwhile Spectre and Meltdown affected pretty much everything, from nuclear reactors to data centers, to phones and cars. This is a nothing burger compared to Spectre and Meltdown. Let's drop this comparison right now because it is ridiculous.

[LAwLz]

24 minutes ago, HenrySalayne said:

Are you sure? I found it only in the Pixel specific section of the link @WereCat provided. I did not find any mention on the "Android Security Bulletin—March 2023" page.

 

Hm you're right.

CVE-2023-24033 is not included in the Android Security Bulletin so it is not required for declaring the march patch level.

 

The patch notes from Samsung seems to include several of the more serious vulnerabilities but not CVE-2023-24033 for some reason.

 

As it stands right now I don't think we can say one way or another if 24033 is patched on Samsung devices. Although, I would be very surprised if it wasn't since it is confirmed to be patched in Google's march release.

[wanderingfool2]

11 minutes ago, LAwLz said:

Also, I think the wording makes it sound like they have patched more than one of the vulnerabilities:

hmm, yea maybe.  At least for older devices though the patch hasn't come through the pipeline yet...so while the underlying code might be patched I wouldn't say that updates are available.

 

13 minutes ago, LAwLz said:

What we do know right now is that there are 4 vulnerabilities that are very serious (note: "serious" does not mean you should become hysterical and think the world is ending).

One is already fixed and the patch is already being rolled out to devices. When you get it depends on which phone you got.

The other three seem to be very new and we have no way of tracking them. We have zero information about them and as a result I don't think it is a good idea to panic. 

We know enough about the 4 vulnerabilities though to assess how dangerous it could be.

Quote

With limited additional research and development, we believe that skilled attackers would be able to quickly create an operational exploit to compromise affected devices silently and remotely

Quote

Due to a very rare combination of level of access these vulnerabilities provide and the speed with which we believe a reliable operational exploit could be crafted, we have decided to make a policy exception to delay disclosure for the four vulnerabilities that allow for Internet-to-baseband remote code execution

So we know it could allow for a RCE with little extra research.  A RCE that effects multiple devices and multiple products when large chunks of those devices don't get patched regularly is an issue and should be brought attention to.

 

19 minutes ago, LAwLz said:

I feel like you are catastrophizing this. We literally have zero information about this and you are jumping to "this will cause cars to run people over and people will die!!!". Calm down. 

It's giving reasons why they might not want to release the vulnerability yet.  To be clear, if you don't know war-dailing is effectively calling lists of numbers for many purposes finding what is vulnerable (akin to port scanning).  A RCE that works on a vehicle is something that should be taken very seriously.

 

23 minutes ago, LAwLz said:

This is nowhere near as bad as Spectre and Meltdown. Not only is this far more limited in scope than Spectre and Meltdown, this only affects phones and some cars with Exynos modems. Meanwhile Spectre and Meltdown affected pretty much everything, from nuclear reactors to data centers, to phones and cars. This is a nothing burger compared to Spectre and Meltdown. Let's drop this comparison right now because it is ridiculous.

A RCE could have a great degree of an impact though if it were released.  POS machines for example when Rogers went down created massive losses for merchants, with some places having to shutdown.  The impact on cars is massive, because many manufacturers still require vehicles brought into the shop to install the firmware updates on key components.  Having a system in a car that is exploitable with RCE is actually quite a serious one.  So I'd argue while different from Spectre/Meltdown it's not something to dismiss...and if you noticed I didn't make the comparison to either I was saying that it could have real world consequences which is why they likely aren't releasing the information.

[Uttamattamakin]

1 hour ago, LAwLz said:

This is a very bad mentality to have. It is very important to not look at the world in black and white terms, especially not when it comes to security.

Not all vulnerabilities, even on phones, are serious. It's a spectrum, and some of these vulnerabilities are on the more serious side of things.

 

Becoming hysterical will not help the situation.

Being vigilant to security threats is not being "hysterical".   Being prepared is crucial if your business  or your life depend on your phone(s) working.  Lots of us prepare for the worst, and consider the good and bad possibilities, without being emotional about it.  

 

1 hour ago, LAwLz said:

I feel like you are catastrophizing this. We literally have zero information about this and you are jumping to "this will cause cars to run people over and people will die!!!". Calm down. 

This is nowhere near as bad as Spectre and Meltdown. Not only is this far more limited in scope than Spectre and Meltdown, this only affects phones and some cars with Exynos modems. Meanwhile Spectre and Meltdown affected pretty much everything, from nuclear reactors to data centers, to phones and cars. This is a nothing burger compared to Spectre and Meltdown. Let's drop this comparison right now because it is ridiculous.

Kinda have to agree with @wanderingfool2 on this one.  IF this also effects cars  that's horrifying.  One can just not use their phone for a day or a week.  In a lot of places no car, no work, no pay.  

However, then I'd have to agree with you but for a different reason.  Why would anyone do that to a random joe?   You know.  The odds that a hacker with that ability is going to go after a random person are astronomical.  At the same time if someone has that happen, and dies thats  something that we should try to avoid.   It's basically the trolley problem then isn't it? 

[WhitetailAni]

5 hours ago, HenrySalayne said:

In Europe GSM (2G) is still mostly in use while 3G is disappearing. But you are right. In the US T-Mobile is the last carrier to support GSM (if the Wikipedia article is accurate).

It is, though you can't access it via T-Mobile directly. You have to use SpeedTalk (an MVNO).

[jagdtigger]

2 hours ago, LAwLz said:

This is a very bad mentality to have. It is very important to not look at the world in black and white terms, especially not when it comes to security.

The only thing bad here is your attitude. An RCE is no joke, especially if it doesnt require anything on the user side...... Its especailly bad since some whackjob thought locking down phones will do wonders for security. Its pretty much snake-oil..... (i mean the locked bootloader)

[wanderingfool2]

29 minutes ago, Uttamattamakin said:

However, then I'd have to agree with you but for a different reason.  Why would anyone do that to a random joe?   You know.  The odds that a hacker with that ability is going to go after a random person are astronomical.  At the same time if someone has that happen, and dies thats  something that we should try to avoid.   It's basically the trolley problem then isn't it? 

It wouldn't be a targeted attack...that's why I mentioned war-dailing.  They know the way to make the chip vulnerable, so if the payload hits the chip itself they don't care about targeting a specific person...they could try a ransomware type of attack where they just send the payloads to many different IP addresses or phone numbers (however the RCE is executed).  That's the issue with RCE and specifically RCE involving communication between phones, you have an entry point that is publicly accessible.

 

It's like heartbleed, even though I didn't have any vulnerable servers the firewall logs still picked up massive amounts of attempts when it was a thing.  So while not targeted, people will try to scan for vulnerable devices.

[TetraSky]

Thankfully, my Samsung phone (A52 4G) still uses Qualcomm, finally something I don't need to worry about.

[Donut417]

10 hours ago, HenrySalayne said:

But you are right. In the US T-Mobile is the last carrier to support GSM (if the Wikipedia article is accurate).

Thats correct. However, I was under the impression Samsung used Snapdragon chips in the US. Exynos was primarily used outside the US. From what I recall reading some time ago, Samsung made some kind of long term agreement with Qualcomm for the US market, or it could have been all of North America. 

[Uttamattamakin]

9 minutes ago, Donut417 said:

Thats correct. However, I was under the impression Samsung used Snapdragon chips in the US. Exynos was primarily used outside the US. From what I recall reading some time ago, Samsung made some kind of long term agreement with Qualcomm for the US market, or it could have been all of North America. 

This I believe is true.  

Which means the people who may have to worry about this.. will on average have less resources to deal with it.   This all sounds like a great case for having a plain old dumb phone. 

[HenrySalayne]

17 minutes ago, Donut417 said:

Thats correct. However, I was under the impression Samsung used Snapdragon chips in the US. Exynos was primarily used outside the US. From what I recall reading some time ago, Samsung made some kind of long term agreement with Qualcomm for the US market, or it could have been all of North America. 

Lucky coincidence.

The Samsung S series might come with Qualcomm SoCs in the US, but the A series does not (e.g. A53). And with the wide range of affected phones and wearables, there is probably a considerable amount of users in the US.

 

[LAwLz]

6 hours ago, wanderingfool2 said:

hmm, yea maybe.  At least for older devices though the patch hasn't come through the pipeline yet...so while the underlying code might be patched I wouldn't say that updates are available.

We don't know that.

 

6 hours ago, wanderingfool2 said:

We know enough about the 4 vulnerabilities though to assess how dangerous it could be.

Yes, but we don't even know if they are patched or not, how hard they would be to execute, or what limitations they could have.

We don't even know how big or small the potential group of affected devices are.

 

6 hours ago, wanderingfool2 said:

So we know it could allow for a RCE with little extra research.  A RCE that effects multiple devices and multiple products when large chunks of those devices don't get patched regularly is an issue and should be brought attention to.

Which devices aren't getting patched regularly? And what do you define as regularly?

This mostly affect newer Samsung phones, and those do get regularly updated.

 

6 hours ago, wanderingfool2 said:

It's giving reasons why they might not want to release the vulnerability yet.  To be clear, if you don't know war-dailing is effectively calling lists of numbers for many purposes finding what is vulnerable (akin to port scanning).

I find it kind of insulting that you don't think I know what war dialing is. I probably know more about computer security than the rest of this thread combined. No need to lecture me.

 

6 hours ago, wanderingfool2 said:

A RCE that works on a vehicle is something that should be taken very seriously.

It depends on which component of the vehicle it affects. Again, with security related things it is very important to get details right, and right now we don't have much details.

There is a very big difference between "a hacker can make your music player stop playing music" and "a hacker can control the steering and gas functions in your car".

 

 

6 hours ago, wanderingfool2 said:

A RCE could have a great degree of an impact though if it were released.

I am not arguing against that. What I am arguing against is the ridiculous idea that this is anywhere near as bad as Spectre and Meltdown.

I won't respond to any more posts about this comparison because it is so ridiculous.

Anyone who thinks this is anywhere near as bad as Spectre and Meltdown is utterly wrong.

 

 

6 hours ago, wanderingfool2 said:

The impact on cars is massive, because many manufacturers still require vehicles brought into the shop to install the firmware updates on key components.

It might be big, or it might be very small. We don't know, so until we do know I suggest you stop saying that things are a certain way when we don't know.

We don't know if the impact on cars is massive, so don't say it is.

 

 

6 hours ago, wanderingfool2 said:

So I'd argue while different from Spectre/Meltdown it's not something to dismiss...and if you noticed I didn't make the comparison to either I was saying that it could have real world consequences which is why they likely aren't releasing the information.

Of course it can have real world consequences. It's a serious vulnerability. My issue is with all the hysteric people that think the world is ending and have been whipped into a frenzy because they don't know what is going on, are reading sensationalistic headlines and don't understand the first thing about security.

 

The world is not ending. We won't have cars running people over.