Cisco Systems has agreed to pay $8.6 million to settle a lawsuit that alleged it sold video security software with known security vulnerabilities to U.S. federal and state governments.
The litigation, originally brought in 2011, was filed under the False Claims Act, claiming that the software failed to meet the cybersecurity standards it purported to embrace.
The company will pay $2.6 million to the federal government and up to $6 million to 15 states, certain cities, counties and other political subdivisions, and the District of Columbia. The states that settled with Cisco are California, Delaware, Florida, Hawaii, Illinois, Indiana, Minnesota, Nevada, New Jersey, New Mexico, New York, North Carolina, Tennessee, Massachusetts and Virginia.
The settlement also includes a payment of about $1.6 million to a whistleblower who alerted the government to the software’s issues.
The platform in question is the Cisco Video Surveillance Manager, a legacy software suite that the networking giant inherited in its acquisition of a company called Broadware in 2007.
According to the complaint obtained by media [PDF], the whistleblower, James Glenn, was working at a Cisco partner called NetDesign. While working on a video surveillance project with the Danish police, he discovered flaws in the system that would allow a hacker who compromised one camera to pivot easily to gain administrative privileges on the video LAN – and from there move laterally into other parts of the network.
“Due to the vulnerability in Cisco’s surveillance system, any user who has or can gain access to one video camera could potentially gain unauthorized access to the entire network of a federal agency,” according to the suit.
In 2008, he contacted Cisco about the vulnerabilities, but according to the suit the company failed to act. So, he alerted a member of an FBI terrorism task force, which eventually led to the suit being filed in federal district court in Buffalo, N.Y. The suit also claims that Cisco forced Glenn’s firing in 2009 after he submitted a detailed bug report with the vendor.
Cisco maintains that it never falsely claimed that the software was totally secure, but rather characterizes the settlement as an acknowledgment that industry norms have changed.
“In short, what seemed reasonable at one point no longer meets the needs of our stakeholders today,” it said in a website statement on Wednesday. “While this is a legacy issue which no longer exists, it matters to us to recognize that times and expectations have changed.”
The company said that the perceived issue arose from the software’s intentionally flexible architecture.
“Broadware intentionally utilized an open architecture to allow customized security applications and solutions to be implemented,” Cisco explained in its statement. “Because of the open architecture, video feeds could theoretically have been subject to hacking, though there is no evidence that any customer’s security was ever breached. In 2009, we published a Best Practices Guide emphasizing that users needed to pay special attention to building necessary security features on top of the software they were licensing from us.”
In 2013, Cisco rolled out an update with patches for various security bugs, and discontinued sales of older versions in September 2014.
Named customers for vulnerable versions of Cisco’s Video Surveillance Manager in the court documents include the Los Angeles International Airport (LAX), the Washington D.C. police department, New York City’s subway and public transit system, the U.S. Army, Navy, Air Force and Marine Corps., and various public education entities.
“Our client raised important security concerns,” said Claire Sylvia, Glenn’s attorney and partner at Phillips & Cohen, in a media statement. “We alleged in our complaint that the software flaws were so severe that they compromised the security of the video surveillance systems and any computer system connected to them. Many federal and state agencies depended on Cisco’s video surveillance systems to help monitor security at their facilities.”
Sylvia added, “The tech industry can expect whistleblowers to continue to step forward when serious problems are ignored, thanks to laws that reward and protect them.”
Cisco did not immediately respond to a request for further comment.
Interested in more on patch management? Don’t miss our free Threatpost webinar, “Streamlining Patch Management,” now available on-demand. Please join Threatpost editor Tom Spring and a panel of patch experts as they discuss the latest trends in Patch Management, how to find the right solution for your business and what the biggest challenges are when it comes to deploying a program. Click here to listen (registration required).
