Cisco to Pay $8.6M for Knowingly Selling Hackable Surveillance Gear to US Government

Credit: CiscoCredit: Cisco

Cisco has settled a lawsuit over claims that it sold video surveillance technology that it knew was vulnerable to a four-year-old flaw. The vulnerability could have allowed malicious parties to hack into cameras that Cisco had been selling to U.S. hospitals, airports, schools, police departments, state governments and federal agencies.

According to a settlement unsealed Wednesday with the U.S. Justice Department, 15 states and the District of Columbia, Cisco learned about the vulnerability for the first time back in 2008, when whistleblower James Glenn came forward and revealed the flaw. However, Cisco waited four years before doing anything about it. In the meantime, the company kept promoting its vulnerable product.

Cisco’s surveillance technology was also connected to door locks and alarms, and those could have also been bypassed due to this flaw.

Michael Ronickher, one of Glenn’s attorneys, said that the flaw was easy to exploit:

"It was like the moment in the heist movies when a person types on a laptop for 30 seconds and says 'I'm in.'"

Cisco said that there was no evidence that the flaw has been abused. Ronicker agreed with that statement but also noted that it’s possible hackers abused the flaw without being detected.

For its first time, Cisco had to settle under the whistleblower law for not having adequate security protections. The Justice Department learned about the flaw as it was reviewing many of the multi-billion dollar contracts that may not have prioritized cyber security. With the rise of ransomware and it disabling and holding hostage hospitals and police departments, cybersecurity issues have become a much more pressing issue for the U.S. government.

The federal government and the state governments that joined the settlement with Glenn will get 80% of the $8.6 million, while Glenn and his attorneys will get 20%. This should leave Glenn with more than $1 million for his whistleblowing act after fees and expenses, which is still significantly more than what most bug bounties would pay.

5 comments
    Your comment
  • CKKwan
    Should have bought Dahua or HIK or even Huawei instead
  • bit_user
    The interesting part of this is the use of whistleblower law to raise cybersecurity issues.

    I wonder if Cisco engineers its own surveillance equipment or just imports & rebrands someone else's.
  • bit_user
    Quote:
    Should have bought Dahua or HIK or even Huawei instead

    Well, the main thing nowadays is to have certification and testing.

    I don't think any brand can simply trade on "trust", any more.