Cisco to Pay $8.6M for Flaws in Software Sold to Government

The company has settled a suit with 15 states and several other government entities that alleged it continued selling video surveillance management software after learning of serious security flaws.

by / August 1, 2019

Cisco has agreed to pay $8.6 million to several defendants, mostly U.S. federal, state and local government entities, to settle a lawsuit alleging that the company sold them video surveillance software knowing that it contained serious security flaws.

The lawsuit, first filed in New York Western District Court in 2011, alleged that Cisco knew about flaws in its Video Surveillance Manager (VSM) product as early as 2008 that could have made the software a backdoor into an organization’s computer network. In 2008, an employee at a Danish company partnering with Cisco discovered a series of vulnerabilities in the product suite and reported them to Cisco — only to be fired from his job.

That employee, James Glenn, will receive $1.6 million, while $2.6 million will go to federal entities and “up to” $6 million will go to state and local governments, according to a press release from Glenn’s lawyers.

All told, 15 states settled with Cisco: California, Delaware, Florida, Hawaii, Illinois, Indiana, Minnesota, Nevada, New Jersey, New Mexico, New York, North Carolina, Tennessee, Massachusetts and Virginia. According to court documents, Amtrak, several branches of the U.S. military, Los Angeles International Airport, the Washington, D.C., Metro Police Department and San Joaquin County, Calif., were a few other VSM purchasers.

The court document, filed by the plaintiffs, laid out a host of security vulnerabilities; namely the failure of VSM to prevent users from accessing pieces of the system they should not have been able to. As a result, the plaintiffs charged, bad actors could use the software to turn off cameras and other security hardware connected to the system, access passwords and gain administrative privileges without systems logging it.

The complaint goes on to say that Cisco continued selling the software after Glenn brought the flaws to the company’s attention and didn’t let customers know about the vulnerabilities. In 2013, five years later, the company released a series of fixes for the software, and stopped selling the older versions of VSM in 2014.

Company representatives said they aren’t aware of anybody exploiting the flaws in the software.

“We are pleased to have resolved a 2011 dispute involving the architecture of a video security technology product we added to our portfolio through the Broadware acquisition in 2007,” a spokesperson said in a statement. “There was no allegation or evidence that any unauthorized access to customers' video occurred as a result of the architecture.”

Platforms & Programs