Hackers could use the flaw not just to spy on video footage but to turn surveillance cameras on and off, delete footage and even potentially compromise other connected physical security systems such as alarms or locks — all without being detected, said Hamsa Mahendranathan, an attorney at Constantine Cannon, which represented the whistleblower James Glenn.
The security weakness was also easy to find and exploit, said Michael Ronickher, another Constantine Cannon attorney.
“It was like the moment in the heist movies when a person types on a laptop for 30 seconds and says ‘I’m in,’ ” Ronickher said.
There’s no evidence that the bug was actually exploited to spy on any Cisco customers’ cameras, the company said in a statement. “We are pleased to have resolved” the dispute, a Cisco spokesman said. “There was no allegation or evidence that any unauthorized access to customers’ video occurred as a result of the architecture."
Glenn’s lawyers noted, however, that it’s possible the hackers compromised the cameras but weren’t discovered. “We don’t want to give the impression we think this happened a lot,” Ronickher said. “As far as we know no major breaches resulted from this. But it was left unaddressed for [four] years.”
The settlement marks the first time a company has been forced to pay out under a federal whistleblower law for failing to have adequate cybersecurity protections.
Cisco Chief Legal Officer Mark Chandler wrote in blog post that the surveillance system was purposely designed without complete cybersecurity protections so customers could add their own customized security tools. The company alerted customers that they “needed to pay special attention to building necessary security features on top of the software” in 2009, he said, but by 2013 Cisco had concluded that its customers needed to upgrade to a newer version of the software with fuller digital protections.
Those were also years during which companies were generally beginning to take cybersecurity much more seriously, driven by a string of high-profile breaches.
“In short, what seemed reasonable at one point no longer meets the needs of our stakeholders today,” Chandler wrote. Moving forward, he said, the company plans to “stay ahead of what the world is willing to accept” in terms of cybersecurity.
The settlement also comes as the federal government is doing a top-to-bottom review of its multibillion-dollar contracting efforts, which officials have said were never designed to deal with cybersecurity. The concern is that the government may be inadvertently greenlighting a slew of hackable products for purchase by federal agencies — many of which are then also bought by states and government grant recipients such as schools and hospitals.
That was the case with the flawed Cisco software. The U.S. Secret Service, Federal Emergency Management Agency and military services were among the federal agencies that bought it. And prisons and police departments, including the New York Police Department, bought it through grants, Mahendranathan said.
Given recent digital attacks on hospitals, local governments and schools, the pervasiveness of weak software is an urgent concern, the lawyers argued. “This video surveillance software … is supposed to make us safer, making the vulnerabilities at issue all the more troubling,” Mahendranathan said.
Glenn, who was working for a Cisco partner in Denmark when he first alerted the company to the issue, filed the lawsuit in the U.S. District Court for the Western District of New York under the False Claims Act. That law effectively allows individuals to sue on behalf of the government if they believe a government contractor is committing fraud. The government can join the suit later and collect most of the proceeds.
In this case, the federal and state governments that joined will collect 80 percent of the $8.6 million award while Glenn and his attorneys will take 20 percent, his lawyers said.
Glenn, during his work at a Cisco subcontractor called NetDesign over the course of 2008, sent the company “detailed reports … revealing that anyone with a moderate grasp of network security could exploit this software,” but he never got a response, his attorneys said.
Glenn was fired by NetDesign in 2009, his attorneys said. They are not alleging that dismissal was in retaliation for pointing out the flaw. He filed the whistleblower lawsuit two years later.
“He tried to fix this through the appropriate channels before he ever thought about filing a lawsuit,” Ronickher said. “This is usually the last resort for people who find things that just aren’t being fixed.”