Cisco deliberately sold vulnerable software to the US government and by court order will pay a fine of $ 8.6 million

According to the court, Cisco will pay $ 8.6 million for intentionally selling surveillance cameras to US schools, hospitals and government agencies, being aware that it has a vulnerability. The “Hole” was found by an employee of a subcontractor who will receive part of the compensation.

Cisco agreed to pay a fine of $ 8.6 million for deliberately supplying vulnerable software to US hospitals, airports, schools and government agencies. The talk is about the software for video surveillance cameras Cisco Video Surveillance Manager.

The company learned about the existence of a serious vulnerability in the product in 2008, and for several years continued to sell it, without making any attempts to close the “hole”.

The product was also delivered to government agencies, including the US Secret Service, the Federal Emergency Management Agency and military departments. Also, this software was purchased by correctional facilities and police departments, including the New York Police Department.

Read also: Cisco fixed dangerous vulnerabilities in its industrial and enterprise solutions

The vulnerability could be used to view video from surveillance cameras, delete this video, and also to remotely turn cameras on and off. Moreover, through the “hole” it was possible to compromise other security system devices connected to the camera – for example, locks and alarms. Moreover, the vulnerability was quite simple to find and use.

James Glenn
James Glenn

James Glenn, who worked for a Cisco subcontractor in Denmark, discovered the vulnerability. His company was called NetDesign. Having discovered a “hole”, Glenn throughout 2008 sent detailed reports to Cisco that their product had a vulnerability and that any attacker, even with mediocre ideas about network security, could use it.

However, Cisco did not respond to Glenn warnings. He was fired from NetDesign in 2009, but does not connect this fact with calls to Cisco. Two years later, since the vulnerability has never closed, Glenn sued Cisco in New York. NY law allows a noncitizen to file a lawsuit on behalf of the government if he believes that the government contractor is committing fraud.

“This video surveillance software is used by airports, police departments, and schools. It is supposed to make us safer, making the vulnerabilities at issue all the more troubling”, – said Hamsa Mahendranathan, an attorney at Constantine Cannon, the law firm that represented Glenn.

Hamsa Mahendranathan
Hamsa Mahendranathan

Government may join the lawsuit later, though greater part of compensation will go to him.

The Department of Justice, 15 states, and the Western District of New York, ultimately joined Glenn’s lawsuit. In the lawsuit, Glenn demanded $ 8.6 million compensation from Cisco. However, the state will receive 80% of this sum, the remaining 20% will go to Glenn and his lawyers.

Cisco assures that there is no evidence of real exploitation of the vulnerability found by attackers.

“We are pleased to have resolved a 2011 dispute involving the architecture of a video security technology product we added to our portfolio through the Broadware acquisition in 2007. There was no allegation or evidence that any unauthorized access to customers’ video occurred as a result of the architecture”, – a Cisco spokesperson told.

However, Glenn claims that the “hole” can be exploited without leaving any traces, so he is not sure that there are no real cases of hacking.

According to the position of Cisco lawyers, their video surveillance software was specially designed so as not to provide the customer with complete protection as he had the opportunity to add his own security solutions. Software created Broadware, acquired by Cisco in 2007.

Cisco emphasizes the fact that in 2009 the Best Practices Guide warned customers that they should “pay special attention to adding the necessary security features to software.” However, the vulnerability was not closed. It was not closed until 2013 when Cisco concluded that its customers needed more complete protection and updated the product. At the same time, sales of the vulnerable version were discontinued only by September 2014.
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button