Cisco pays out $8.6m in damages over faulty government software

Claim argues company left vulnerable video software unpatched for five years

Cisco agreed to pay $8.6 million in civil damages on Wednesday following a legal complaint that argued the company knowingly sold unsecure surveillance equipment to US federal, state and government agencies.

It marks the first time a company has paid out in a False Claims Act dispute over failing cyber security standards, according to attorneys involved in the case speaking to the New York Times.

Advertisement - Article continues below

According to the legal complaint, the US government said video surveillance software supplied by Cisco was "of no value" because it didn't enhance security in the way advertised. It added that the Cisco software, in many cases, reduced the security offered by the government's other systems, too.

An issue was originally identified in 2008 by James Glenn, a Cisco subcontractor in Denmark, after he found he was able to bypass security protocols to take over the video surveillance software, as well as gain access to any network to which the system was connected.

"Due to the vulnerability in Cisco's surveillance system, any user who has or can gain access to one video camera could potentially gain unauthorised access to the entire network of a federal agency," the claim said.

Despite immediately notifying Cisco, Glenn retested the exploit again in 2010, discovering that the software was still vulnerable.

Advertisement
Advertisement - Article continues below

Cisco didn't disclose these vulnerabilities until 2013, five years after Glenn originally reported the issues as part of a vulnerability disclosure practice that, at the time, was in its infancy but is now followed industry-wide.

Advertisement - Article continues below

"Multiple security vulnerabilities exist in versions of Cisco VSM prior to 7.0.0, which may allow an attacker to gain full administrative privileges on the system," said Cisco in its 2013 vulnerability disclosure.

"We are pleased to have resolved a 2011 dispute involving the architecture of a video security technology product," said Cisco spokeswoman Robyn Blum. "There was no allegation or evidence that any unauthorised access to customers' video occurred as a result of the architecture."

Despite fixing the issue, the False Claims Act case argued that Cisco had knowingly supplied its customers with this vulnerable software during the 2008-2013 period.

Among those that joined Glenn in the claim included the states of New York, California, the District of Colombia, as well as Los Angeles International Airport, the Washington D.C. police and the New York City public transport system, all of which had received vulnerable Cisco software.

Some of the highest-value customers also included the US Army, Navy, Air Force and Marine Corps.

Advertisement - Article continues below

Cisco hasn't had a favourable year in the security department. Most notably, vulnerabilities affecting the company's trust anchor module (TAm) alarmed industry experts amid claims they couldn't be patched.

At the company's annual Cisco Live conference in June, its security experts were grilled on the Thrangrycat vulnerability but ultimately sidestepped the issue, essentially blaming it on human error and not offering any insight into the action being taken.

In March, Cisco struggled to fix two vulnerabilities in a range of its small business routers despite repeated patches, leaving the hardware exposed for more than two months.

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now
Advertisement

Recommended

Visit/security/ransomware/356292/university-of-california-gets-fleeced-by-hackers-for-114-million
ransomware

University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
Visit/security/cyber-security/356289/australia-announces-135b-investment-in-cybersecurity
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
Visit/cloud/cloud-security/356288/csa-and-issa-form-cybersecurity-partnership
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020
Visit/security/ethical-hacking/356252/poorly-secured-banking-apps-lead-to-cyber-threats
ethical hacking

Mobile banking apps are exposing user data to attackers

26 Jun 2020

Most Popular

Visit/business/business-operations/356395/nvidia-overtakes-intel-as-most-valuable-us-chipmaker
Business operations

Nvidia overtakes Intel as most valuable US chipmaker

9 Jul 2020
Visit/laptops/29190/how-to-find-ram-speed-size-and-type
Laptops

How to find RAM speed, size and type

24 Jun 2020
Visit/server-storage/servers/356083/the-best-server-solution-for-your-smb
Sponsored

The best server solution for your SMB

26 Jun 2020