Petrovich12 - Fotolia
Cisco Systems has agreed to pay $8.6m after being accused of knowingly supplying video surveillance technology containing serious security vulnerabilities to the US federal and state governments.
The case, brought by a former employee of a Cisco partner company in Denmark, is the first successful cyber security complaint to be brought against a US technology company under US whistleblowing legislation.
Cisco Systems has agreed to settle allegations filed under the False Claims Act that it knowingly sold video surveillance software that exposed federal, state and local government agencies in the US to the risk of unauthorised access and tampering for at least four and a half years.
Cisco’s video surveillance management software suite is widely used by government bodies, prisons, schools and shopping centres in the US and Europe to manage and control thousands of surveillance cameras running on digital networks.
The company supplied the software to agencies including the US Department of Homeland Security, the Secret Service, the Army, the Navy, the Air Force, the Marine Corps and the Federal Emergency Management Agency (FEMA).
According to a complaint unsealed today in the the New York Western District Court, Cisco allegedly failed to disclose known vulnerabilities in the software, which could have given hackers access to the computer networks of sensitive government agencies, schools and hospitals, despite internal warnings.
The company said in a statement that it was pleased to resolve the dispute involving the architecture of a video security product it had introduced into its portfolio through an acquisition in 2007. "There was no allegation or evidence that any unauthorized access to customers' video occurred as a result of the architecture," it said.
Lost job after blowing the whistle
Video surveillance expert James Glenn, who worked for Cisco reseller NetDesign in Copenhagen, Denmark, alerted Cisco’s product security incident response team to serious vulnerabilities in flagship video surveillance software in October 2008.
Glenn ultimately lost his job in what his company described as a cost cutting measure, his lawyers told Computer Weekly.
Glenn said in a statement: “The tech industry does not fulfil its professional responsibility to protect the public from its products and services. There is this culture that tends to prioritise profit and reputation over doing what is right. I hope coming forward with my experience causes others in tech companies to think about their ethical mandate.”
Glenn claimed that anyone with a moderate grasp of network security could exploit the software to gain unauthorised access to the stored video, could bypass physical security systems and gain administrative access to the entire network of government agencies without detection.
“The problem was that there was some code embedded in the software that left open a loophole so that, as someone with very limited access, you could gain administrative access and so eventually build a backdoor into the system for yourself – and it would not log the creation of that administrator account,” said lawyer Mike Ronickher, representing Glenn.
“You could essentially have free rein over the software – modify, delete anything you wanted. Depending on how it was set up with a particular installation, that would give you access to anything that was networked to the system. You would get not only the surveillance manager itself, the computers that were running them, but typically they would be installed connected to the physical security, so you could gain access to e-card readers and alarms.”
Glenn’s lawyers filed a complaint, known as qui tam lawsuit, against Cisco on behalf of the federal government, 15 states and the District of Columbia, which bought the Cisco equipment in May 2011. The Attorney General’s office in New York acted on behalf of the 15 states during the settlement negotiations.
Cisco issued a best-practice guide followed by an updated version of its video surveillance software in September 2012 which it claimed addressed the problems Glenn had identified more than three years earlier. It disclosed the vulnerabilities to the public and its customers in July 2013, four years and nine months after Glenn had first alerted it to the problems.
Cisco has issued further alerts about serious security vulnerabilities, unconnected with Glenn’s findings in its video surveillance software manager software since July 2013.
In September 2018, Cisco reported that some configurations on the system contained a hard-coded password that could have enabled hackers to log on and execute commands as a “root user”.
In May 2019, Cisco advised that some versions of the software contained a vulnerability that could allow an attacker to download sensitive files.
Settlement will encourage more tech whistleblowers
Under the US Federal False Claims Act, Glenn is likely to receive between 15% and 20% of the costs recovered from Cisco.
The case is likely to encourage other whistleblowers in Europe’s technology industry to take advantage of US whistleblower protection laws to report poor cyber security practice and corporate malfeasance to US regulators and law enforcement.
Mary Inman, one of the legal team representing Glenn, said: “I do think it is significant that this is what we believe to be the first successful whistleblower-initiated case to expose a cyber vulnerability. My view is that this is a harbinger of things to come. This will be the first of many.”
The US has a range of whistleblower laws, which cover the US Securities and Exchange Commission (SEC), the Internal Revenue Service and the Commodity Futures Trading Commission, in addition to the False Claims Act.
Inman said more people in the UK and Europe were becoming aware that they can blow the whistle on malpractice under the protection of US laws.
For eight of the past nine years, the UK has been the top source of whistleblowers to the US SEC, outside of the US.
Hamsa Mahendranathan, representing Glenn, said it was particularly troubling that the vulnerabilities were found in video surveillance software used by airports, police departments and schools, which is supposed to make people safer.
“These vulnerabilities would never have come to light without the whistleblower, not to Cisco, not to government,” said Mahendranathan. “As we put more trust in tech companies to keep us safe, we need to encourage industry whistleblowers to come forward now more than ever.”
Writing in a blog post, Mark Chandler, chief legal officer of Cisco said that Cisco had acquired its VSM software with Cisco's acquisition of a company called Broadware in 2007, which had designed the software using an 'open architecture.' Because of this "video feeds could theoretically have been subject to hacking, though there is no evidence that any customer's security was breached."
"In July 2013 we advised that customers should upgrade to a new version of the software which addressed security features. All sales of the older versions of the software had ended by September 2014," he wrote.
James Glenn’s battle with Cisco over video surveillance security
May 2007: Cisco acquires video surveillance technology after buying Broadware Techologies, a provider of IP-based surveillance software.
October 2008: James Glenn, who worked for Cisco reseller NetDesign in Denmark, discovers serious security vulnerabilities in Cisco’s Video Surveillance Manager (VSM). He files a report to Cisco’s Product Security Incident Response Team (PIRST).
November 2008: Glenn sends a follow-up letter to Cisco after receiving no response. A proposed meeting between Glenn and Cisco did not take place.
9 March 2009: Glenn loses his job at NetDesign.
September 2010: Glenn speaks about the incident to a close family member in Washington DC who alerted a US government cyber security agency, who passed the information to the FBI. Glenn is put in touch with a whistleblower lawyer, Tim McCormack, then of law firm Phillips & Cohen.
10 May 2011: Glenn’s lawyer files a complaint against Cisco on behalf of the US government in US district court, Western District of New York. Cisco subsequently releases a best practice guide for the software.
September 2012: Cisco releases a product update for its video surveillance management software which it said fixed the vulnerabilities identified by Glenn.
13 March 2013: A researcher called Bassam Saleh reports multiple serious security vulnerabilities in the Cisco Video Surveillance Manager on the BuqTraq mailing list.
24 July 2013: Cisco issues a public security alert over the vulnerabilities identified by Glenn and others. Cisco’s security alert identifies multiple security vulnerabilities in the Cisco Video Surveillance Manager in versions prior to 7.0.0. It warns that one vulnerability “may allow an attacker to gain full administrative privileges on the system” and that unauthorised attackers could gain access to sensitive system files by using a “crafted URL”. Other vulnerabilities would allow attackers to create, modify and remove camera feeds, archives, logs and users.
August 2013: Craig Heffner a former software developer with the National Security Agency, demonstrated security vulnerabilities in IP video surveillance cameras from Cisco and other suppliers. He identified a hard-coded password and user names in a Cisco system that could be used by attackers to gain access to cameras used in hotels, server rooms and an engineering company taking part in the space programme.
21 September 2018: Cisco discloses the existence of a backdoor vulnerability in a number of configurations of its Video Surveillance Manager. The software contained an undocumented hard-coded password. “An attacker could exploit this vulnerability by using the account to log in to an affected system,” it said. “A successful exploit could allow the attacker to log in to the affected system and execute arbitrary commands as the root user.”
May 2019: Cisco discloses a security vulnerability in video surveillance manager that could allow an unauthenticated, remote attacker to access sensitive information. The vulnerability is due to improper validation of parameters handled by the web-based management interface. “An attacker could exploit this vulnerability by sending malicious requests to an affected component,” it said. “A successful exploit could allow the attacker to download arbitrary files from the affected device, which could contain sensitive information.”
August 2019: Cisco agrees to pay $8.6 m to settle allegations that it knowingly sold video surveillance equipment containing serious security vulnerabilities to US government agencies including the US Department of Homeland Security, the Secret Service, the Army, the Navy, the Air Force, the Marine Corps and the Federal Emergency Management Agency (FEMA).