Cisco pays $8.6m after whistleblower discloses security flaws in video surveillance system

Lost job after blowing the whistle

Video surveillance expert James Glenn, who worked for Cisco reseller NetDesign in Copenhagen, Denmark, alerted Cisco’s product security incident response team to serious vulnerabilities in flagship video surveillance software in October 2008.

Glenn ultimately lost his job in what his company described as a cost cutting measure, his lawyers told Computer Weekly.

Glenn said in a statement: “The tech industry does not fulfil its professional responsibility to protect the public from its products and services. There is this culture that tends to prioritise profit and reputation over doing what is right. I hope coming forward with my experience causes others in tech companies to think about their ethical mandate.”

Cisco

Glenn claimed that anyone with a moderate grasp of network security could exploit the software to gain unauthorised access to the stored video, could bypass physical security systems and gain administrative access to the entire network of government agencies without detection.

“The problem was that there was some code embedded in the software that left open a loophole so that, as someone with very limited access, you could gain administrative access and so eventually build a backdoor into the system for yourself – and it would not log the creation of that administrator account,” said lawyer Mike Ronickher, representing Glenn.

“You could essentially have free rein over the software – modify, delete anything you wanted. Depending on how it was set up with a particular installation, that would give you access to anything that was networked to the system. You would get not only the surveillance manager itself, the computers that were running them, but typically they would be installed connected to the physical security, so you could gain access to e-card readers and alarms.”

Lawsuit filed

Glenn’s lawyers filed a complaint, known as qui tam lawsuit, against Cisco on behalf of the federal government, 15 states and the District of Columbia, which bought the Cisco equipment in May 2011. The Attorney General’s office in New York acted on behalf of the 15 states during the settlement negotiations.

Cisco issued a best-practice guide followed by an updated version of its video surveillance software in September 2012 which it claimed addressed the problems Glenn had identified more than three years earlier. It disclosed the vulnerabilities to the public and its customers in July 2013, four years and nine months after Glenn had first alerted it to the problems.

Cisco has issued further alerts about serious security vulnerabilities, unconnected with Glenn’s findings  in its video surveillance software manager software since July 2013.

In September 2018, Cisco reported that some configurations on the system contained a hard-coded password that could have enabled hackers to log on and execute commands as a “root user”.

In May 2019, Cisco advised that some versions of the software contained a vulnerability that could allow an attacker to download sensitive files.

Settlement will encourage more tech whistleblowers

Under the US Federal False Claims Act, Glenn is likely to receive between 15% and 20% of the costs recovered from Cisco.

The case is likely to encourage other whistleblowers in Europe’s technology industry to take advantage of US whistleblower protection laws to report poor cyber security practice and corporate malfeasance to US regulators and law enforcement.

Mary Inman, one of the legal team representing Glenn, said: “I do think it is significant that this is what we believe to be the first successful whistleblower-initiated case to expose a cyber vulnerability. My view is that this is a harbinger of things to come. This will be the first of many.”

The US has a range of whistleblower laws, which cover the US Securities and Exchange Commission (SEC), the Internal Revenue Service and the Commodity Futures Trading Commission, in addition to the False Claims Act.

Inman said more people in the UK and Europe were becoming aware that they can blow the whistle on malpractice under the protection of US laws.

For eight of the past nine years, the UK has been the top source of whistleblowers to the US SEC, outside of the US.

Hamsa Mahendranathan, representing Glenn, said it was particularly troubling that the vulnerabilities were found in video surveillance software used by airports, police departments and schools, which is supposed to make people safer.

“These vulnerabilities would never have come to light without the whistleblower, not to Cisco, not to government,” said Mahendranathan. “As we put more trust in tech companies to keep us safe, we need to encourage industry whistleblowers to come forward now more than ever.”

Writing in a blog post, Mark Chandler, chief legal officer of Cisco said that Cisco had acquired its VSM software with Cisco's acquisition of a company called Broadware in 2007, which had designed the software using an 'open architecture.'  Because of this "video feeds could theoretically have been subject to hacking, though there is no evidence that any customer's security was breached."

"In July 2013 we advised that customers should upgrade to a new version of the software which addressed security features. All sales of the older versions of the software had ended by September 2014," he wrote.

Glenn was represented by Constantine Cannon LLP and its whistleblower attorneys, Ann Hayes Hartman, Michael Ronickher, Hamsa Mahendranathan and co-counsel Claire Sylvia at Philips and Cohen.