Cisco To Pay $8.6 Million As Settlement For 5-Year Bug In Their Product
The network technology company, Cisco is set to pay a settlement agreement worth $8.6 million for an alleged violation of the U.S. False Claims Act (FCA). The case was brought-up eight years ago in May 2011, it stemmed from the claim that Cisco was neglecting its responsibility to patch its Video Surveillance Manager. James Glenn, who was working for NetDesign, a Cisco subcontractor raised the issue to Cisco to no avail. The security flaw allowed for unauthorized remote control, recording of video feeds and tampering of the videos in the Video Surveillance Manager. James Glenn also emphasized that the unpatched flaw enabled attackers to have total control, not just of the software (VMS), but all the cameras under its supervision. This quickly escalated by a later investigation that the intruder also gets the privilege of accessing the network where the VMS (and its camera network) operates.
The bug has been in existence since October 2008 up to 2013, and Cisco being informed of the issue remained negligent with fixing the critical concern. Add to the fact that Cisco continued to market their vulnerable VMS software and its corresponding camera hardware to prospective customers globally, including government institutions in the USA and other countries. “This video surveillance software is used by airports, police departments, and schools. It is supposed to make us safer, making the vulnerabilities at issue all the more troubling,” explained Hamsa Mahendranathan, Glenn’s lawyer from Constantine Cannon law firm.
Multiple cases were filed against Cisco in 18 U.S. states, which compelled Cisco to finally stop selling the broken VMS system starting 2014. Cisco’s EVP and Chief Legal Officer, Mark Chandler broke his silence, as he commented with his company paying the settlement amount of $8.6 million. “(This) is partial refund to the US federal government and 16 states for products purchased between Cisco’s fiscal years 2008 and 2013. While this is a legacy issue which no longer exists, it matters to us to recognize that times and expectations have changed,” confirmed Chandler.
The EVP disclosed that VSM was not a huge moneymaker for Cisco, in fact, it was just as profitable as 1/100th of 1% of the company’s total annual revenue. The network equipment giant has also mentioned that VSM was an acquired technology from Broadware when it was sold to Cisco twelve years ago. Cisco also denied that VSM has a serious security flaw that can be easily taken advantage of, let alone remote control access by unknown parties to the VSM software and its camera interfaces.
The lawsuits against Cisco’s VSM openly claimed the contrary, Cisco’s systems were deployed in many military installations in the United States and other customers with a high level of security requirements. “Cisco has known of these critical security flaws for at least two and a half years; it has failed to notify the government entities that have purchased and continue to use VSM of the vulnerability. Thus, for example, an unauthorized user could effectively shut down an entire airport by taking control of all security cameras and turning them off. Alternately, such a hacker could access the video archives of a large entity to obscure or eliminate video evidence of theft or espionage,” said in the lawsuit.
Kevin Jones951 Posts
Kevin Jones, Ph.D., is a research associate and a Cyber Security Author with experience in Penetration Testing, Vulnerability Assessments, Monitoring solutions, Surveillance and Offensive technologies etc. Currently, he is a freelance writer on latest security news and other happenings. He has authored numerous articles and exploits which can be found on popular sites like hackercombat.com and others.