FALSE CLAIMS ACT —

Cisco pays $8.6 million for selling surveillance system it knew was vulnerable

Whistleblower said Cisco waited more than 4 years to fix serious flaw.

Cisco pays $8.6 million for selling surveillance system it knew was vulnerable
Cisco

Cisco is paying $8.6 million to settle claims that it sold a video-surveillance product the company knew made federal and state agencies vulnerable to serious hacking attacks. This is believed to be the first time a company has made a payout under a federal whistleblower lawsuit alleging failure to have adequate security protections.

The settlement stems from a Video Surveillance Manager package Cisco sold, starting more than a decade ago, to a raft of government agencies. These agencies include the Department of Homeland Security, the Secret Service, the Department of Defense Biometrics Taskforce, the Federal Emergency Management Agency, NASA, the Army, the Navy, the Air Force, and the Marine Corps. Known as VSM, the surveillance package was also used by government agencies in at least 15 states, including New York and California.

A 2011 lawsuit unsealed on Wednesday alleged that Cisco knowingly sold VSM to customers even after learning of a critical vulnerability. This vulnerability allowed hackers to spy on video footage in real time, turn cameras on or off, delete footage, and tamper with locks and other physical security systems connected on the same network. The lawsuit was filed under the False Claims Act in the US District Court for the Western District of New York. The act allows individuals with inside knowledge to bring suits on behalf of the government when they believe a contractor is committing fraud.

The individual suing Cisco is James Glenn, who was working for a Cisco partner in 2008 when he discovered the vulnerability and privately reported it. In 2010—about a year after being laid off in a cost-cutting measure—Glenn found that the vulnerability still hadn't been fixed. He filed the complaint a year later. Cisco didn't fix the vulnerability until July 2013, more than four years after Glenn made the private report.

“Security disasters”

"The Cisco VSM is fundamentally flawed, leading it to create significant security flaws in any system into which it is incorporated," the complaint alleged. "These flaws are so significant that it would be difficult to correct them sufficiently to bring the product into compliance with federal purchasing standards, even if Cisco fully disclosed the flaws to government purchasers. Because Cisco has deliberately refused to disclose these flaws to government purchasers, the vast majority of all such systems sold to government customers remain in their vulnerable state—a wide network of security disasters waiting to happen."

In a statement, Cisco officials wrote: "We are pleased to have resolved a 2011 dispute involving the architecture of a video-security technology product we added to our portfolio through the Broadware acquisition in 2007. There was no allegation or evidence that any unauthorized access to customers' video occurred as a result of the architecture.”

Cisco's statement didn't explain why the company took more than four years to fix the critical vulnerability or why it continued to sell the package without disclosing the flaw.

The settlement is likely the first payout in a False Claim Act involving a security vulnerability in a product. According to a spokesman for the law firm representing Glenn, most of the $8.6 million award will go to federal and state governments, and more than $1 million will go to Glenn.

Channel Ars Technica