In 2008, a security researcher named James Glenn warned Cisco that its video surveillance software had a defect that made it vulnerable to a trivial-to-exploit attack; for four years afterward, the company continued to sell this software to schools, airports, hospitals, state/local governments, the US military, FEMA, the Secret Service and police departments without mitigating the defect or warning their customers that internet-connected randos could undetectably peer through their security cameras, unlock their doors, disable their alarms, and delete footage.
Now, Cisco has entered into a settlement with the DOJ, DC and 15 states, and will pay $8.6m to settle all claims against it.
Despite the fine, Cisco insists that nothing bad happened, because it never detected anyone making an undetectable attack on any of its customers' systems.
80% of the award money will go to the government agencies, while 20% will go to Glenn and his attorneys, who filed a whistleblower lawsuit after he was fired from Cisco subcontractor Netdesign.
There's a lesson here about the people who advocate for allowing companies to decide when defects in their products can be revealed: companies are not trustworthy custodians of bad news about their products, even (especially) when the stakes are high and they face titanic liability for failing to mitigate reported defects.
Hackers could use the flaw not just to spy on video footage but to turn surveillance cameras on and off, delete footage and even potentially compromise other connected physical security systems such as alarms or locks – all without being detected, according to Hamsa Mahendranathan, an attorney at Constantine Cannon, which represented whistleblower James Glenn.
The security weakness was also easy to find and exploit, said Michael Ronickher, another Contantine Cannon attorney.
"It was like the moment in the heist movies when a person types on a laptop for 30 seconds and says 'I'm in,' " Ronickher said.
Cisco to pay $8.6 million fine for selling hackable surveillance technology [Joseph Marks/The Washington Post]