Cisco pays $8.6 million to settle software flaw claims2019-08-01 17:20 by Daniela
Cisco has agreed to pay $8.6 million to settle a lawsuit filed by a client alleging the networking giant knowingly sold video surveillance kit containing serious security vulnerabilities. Although Cisco eventually fixed the software flaws, the lawsuit alleged that the firm potentially exposed the federal and state-level agencies that used the equipment.
The settlement stems from a Video Surveillance Manager package Cisco sold, starting more than a decade ago, to a raft of government agencies. These agencies include the Department of Homeland Security, the Secret Service, the Department of Defense Biometrics Taskforce, the Federal Emergency Management Agency, NASA, the Army, the Navy, the Air Force, and the Marine Corps. Known as VSM, the surveillance package was also used by government agencies in at least 15 states, including New York and California.
The tech giant continued to sell the software and didn't fix the massive security weakness for about four years after a whistleblower alerted the company about it in 2008, according to a settlement unsealed Wednesday with the Justice Department and 15 states as well as the District of Columbia.
Hackers could use the flaw not just to spy on video footage but to turn surveillance cameras on and off, delete footage and even potentially compromise other connected physical security systems such as alarms or locks - all without being detected, according to Hamsa Mahendranathan, an attorney at Constantine Cannon, which represented whistleblower James Glenn.
"We are pleased to have resolved a 2011 dispute involving the architecture of a video security technology product we added to our portfolio through the Broadware acquisition in 2007," said a Cisco spokesperson in an emailed statement Thursday. "There was no allegation or evidence that any unauthorized access to customers' video occurred as a result of the architecture."
Cisco said that it advised customers to upgrade to a new version of the software, which fixed the security issues, in 2013. All sales of the older version of the software ended by September 2014, the company said.
Read more -here-