Networking giant in hot water for selling US govt buggy spy kit? Huawei again? No, it's Cisco

American tech giant coughs up $9m for shipping vulnerable crates of crap to Uncle Sam

A Cisco trade show booth

Cisco finds its bank balance $8.6m lighter after it agreed to settle a False Claims Act lawsuit in the US over its video surveillance software.

On Wednesday, attorneys for whistleblower James Glenn announced that the networking giant's payout would settle the first ever US False Claims Act case to involve information security. For his trouble, Glenn (and his lawyers) stands to pocket $1.6m from the payout, while US states grab the other $7m.

Glenn, a former Cisco contractor, filed the whistleblower complaint in 2011, accusing Switchzilla of knowingly selling Uncle Sam, including all four branches of its military and FEMA, as well as fifteen US states, copies of its Video Surveillance Manager (VSM) suite without disclosing a critical design flaw.

The complaint alleged Cisco knew the hole was present from 2008 to 2011 but did not warn its customers. While the details of the bug have not been shared, the complaint stated that a successful exploit would potentially allow for a complete network takeover.

Sinister secret backdoor found in networking gear perfect for government espionage: The Chinese are – oh no, wait, it's Cisco again

READ MORE

"The most critical flaw in the Cisco VSM allows the user of any video observation point, no matter how restricted, to gain access to the full contents of the system to which the central server is connected," a copy (PDF) of the complaint obtained by The Register reads.

"Many of Cisco’s customers have the surveillance system’s central media server installed on a computer that is connected to the same Local Area Network (LAN) as the rest of their computers. Due to the vulnerability in Cisco’s surveillance system, any user who has or can gain access to one video camera could potentially gain unauthorized access to the entire network of a federal agency."

Glenn claimed that not only did Cisco try to keep the VSM vulnerability under wraps, but Switchzilla also fired Glenn when, in 2008, he tried to warn Cisco and his then-employer, a local Cisco distributor in Denmark called NetDesign.

"Based on the circumstances of his firing, [Glenn] believes, and on that basis alleges, that he was fired in retaliation for alerting Cisco and NetDesign to the flaws in the Cisco VSM product," the complaint reads.

"After he was fired, Relator continued to monitor Cisco’s public pronouncements about its Video surveillance system, hoping to see that Cisco had fixed the problem or at least informed its customers of the vulnerability."

Cisco, for its part, says that the VSM products at issue have not been sold since 2014 and the flaw can actually be traced back to the original development of the software by Broadware, a company Cisco assimilated back in 2007.

"Broadware intentionally utilized an open architecture to allow customized security applications and solutions to be implemented. Because of the open architecture, video feeds could theoretically have been subject to hacking, though there is no evidence that any customer’s security was ever breached," wrote Cisco executive VP and general counsel Mark Chandler earlier today.

"In 2009, we published a Best Practices Guide emphasizing that users needed to pay special attention to building necessary security features on top of the software they were licensing from us." ®




Biting the hand that feeds IT © 1998–2019