Networking giant Cisco has paid $8.6 million to settle charges it violated the US False Claims Act (FCA) for selling video surveillance equipment to federal agencies it knew had “dangerous” security flaws.
The lawsuit was brought by the US federal government and several state governments, as well as a Cisco contractor who in 2008 reported a security flaw in Cisco’s Video Surveillance Manager (VSM) software that Cisco didn’t resolve for several years. More importantly, Cisco kept selling VSM kit to government agencies with flaws it knew about for years.
Cisco has agreed to pay $1.6 million to whistleblower, James Glenn, a security pro who reported the flaw to Cisco, and $7 million to government agencies who bought Cisco’s kit.
Glenn, a US citizen, was living in Denmark in 2007 and working as a security engineer for Danish network services provider, NetDesign.
NetDesign is a Cisco “Gold Certified” reseller of its kit. Glenn was allegedly fired by the company in 2009 for reporting Cisco’s “security violations”, according to court documents obtained by The Register that were filed in 2011.
In 2009 Glenn reported the issue and was afforded US whistleblower protections. In 2011, he said Cisco had still not publicly disclosed or patched the flaws, but court documents said Cisco continued to “fraudulently market the [Cisco Video Surveillance Manager] as a secure and reliable tool to federal and state agencies, many of which have critical security needs.”
Glenn had argued the Cisco product flaws were so severe they needed to be withdrawn from the market.
“These flaws are so significant that it would be difficult to correct them sufficiently to bring the product into compliance with federal purchasing standards, even if Cisco fully disclosed the flaws to government purchasers," the plaintiffs argued in court documents.
"Because Cisco has deliberately refused to disclose these flaws to government purchasers, the vast majority of all such systems sold to government customers remain in their vulnerable state – a wide network of security disasters waiting to happen.”
The most critical flaw “allows the user of any video observation point, no matter how restricted, to gain access to the full contents of the system to which the central server is connected”, and could have potentially given an attacker unauthorised access to any network the devices were connected to.
According to the complaint, Cisco would have known that software flaws in its video surveillance kit would unlikely be detected by buyers of those systems, which are typically sold to “badge and gun” security divisions -- as opposed to IT security units who would be more aware of violations of US Federal Information Processing Standards (FIPS) requirements.
“As Cisco well knows, federal agencies, and any state agencies that rely on FIPS, cannot purchase systems that are not FIPS-compliant,” the documents state.
The complaint doesn’t detail specifics of the flaw, however it notes that Glenn discovered them while participating in NetDesign’s 2008 “Own Medicine” program, where employees test systems the company uses itself in order to find bugs.
Glenn and a colleague were testing a Cisco camera with its software and found it didn’t log failed password attempts, implying it could be vulnerable to password guessing or brute force attacks.
Glenn then reported the bug to Cisco, which it promptly patched. But then in October 2018 he returned to probe VSM and found it was “riddled with serious security defects”. He reported these to Cisco’s Product Security Incident Response Team (PSIRT) — the group responsible for patching at Cisco. But this time Cisco didn’t respond so quickly.
By late November — after a Cisco PSIRT member admitted to Glenn there was “no quick fix” — he attended a conference call between NetDesign and Cisco’s PSIRT where he conveyed that “the problem was intrinsic to the design and structure of the Cisco VSM and largely irreparable.” He later encouraged NetDesign not to sell kit with Cisco VSM.
In March, 2009 NetDesign fired Glenn who was told it was “due to economic concerns”, according to the document. In September 2010 Glenn asked a family member to call the FBI to report that Cisco’s VSM, with its un-patched flaws, were installed at Los Angeles International Airport.
Organisations that bought Cisco equipment with VSM in the period after Glenn had alerted Cisco to the problems included the US Department of Homeland Security.
Other federal agencies that had bought Cisco VSM gear at some point prior included the Secret Service Procurement Division, the Department of Defense Biometrics Task Force Headquarters, the Federal Emergency Management Agency, NASA, the Army, the Navy, the Air Force, the Marine Corps, and the Patent and Trademark Office.
In a statement today confirming the settlement, Cisco said that in “July, 2013, we advised that customers should upgrade to a new version of the software which addressed security features”.
The company linked to its disclosure page for the flaws, which is rated as “critical” and has a CVSS version 2 rating of 9.0 out of 10. It also noted that the software was created by Broadware, a company it acquired in 2007.
"Broadware intentionally utilised an open architecture to allow customised security applications and solutions to be implemented. Because of the open architecture, video feeds could theoretically have been subject to hacking, though there is no evidence that any customer’s security was ever breached."
Cisco says it stopped selling older affected versions of this software in September 2014.
“Evaluating these facts today, we’ve now agreed to make a payment that includes, what is in effect, a partial refund to the US federal government and 16 states for products purchased between Cisco’s fiscal years 2008 and 2013."