Cisco has settled a lawsuit over claims that it sold video surveillance technology that it knew was vulnerable to a four-year-old flaw. The vulnerability could have allowed malicious parties to hack into cameras that Cisco had been selling to U.S. hospitals, airports, schools, police departments, state governments and federal agencies.
According to a settlement unsealed Wednesday with the U.S. Justice Department, 15 states and the District of Columbia, Cisco learned about the vulnerability for the first time back in 2008, when whistleblower James Glenn came forward and revealed the flaw. However, Cisco waited four years before doing anything about it. In the meantime, the company kept promoting its vulnerable product.
Cisco’s surveillance technology was also connected to door locks and alarms, and those could have also been bypassed due to this flaw.
Michael Ronickher, one of Glenn’s attorneys, said that the flaw was easy to exploit:
"It was like the moment in the heist movies when a person types on a laptop for 30 seconds and says 'I'm in.'"
Cisco said that there was no evidence that the flaw has been abused. Ronicker agreed with that statement but also noted that it’s possible hackers abused the flaw without being detected.
For its first time, Cisco had to settle under the whistleblower law for not having adequate security protections. The Justice Department learned about the flaw as it was reviewing many of the multi-billion dollar contracts that may not have prioritized cyber security. With the rise of ransomware and it disabling and holding hostage hospitals and police departments, cybersecurity issues have become a much more pressing issue for the U.S. government.
The federal government and the state governments that joined the settlement with Glenn will get 80% of the $8.6 million, while Glenn and his attorneys will get 20%. This should leave Glenn with more than $1 million for his whistleblowing act after fees and expenses, which is still significantly more than what most bug bounties would pay.