August 2nd, 2019

whistleblower exposes security flaw

Whistleblower uses False Claims Act to expose security flaw in Cisco software

Congratulations to whistleblower James Glenn (my former client) who helped expose a serious security flaw with Cisco’s video surveillance and management software.  Kudos to my old colleagues at Constantine Cannon, Phillips & Cohen and Personius Melber as well.

James blows the whistle

James is a brilliant, modest, honest and thoughtful guy who discovered the problem with Cisco’s software, reported it to the company, tried to get them to (and help them to) take action and wound up fired (total coincidence, I’m sure…). He was not deterred, though.  He reported the problem to the FBI, and then to the Department of Justice using the False Claims Act (see the complaint he filed here).

The False Claims Act Case

One of the key features of the False Claims Act is that it allows whistleblowers to file a case in federal or state court and go forward fighting the fraud even if the Government shows no interest – a much better prospect than simply submitting a tip to a faceless fraud hotline (although sometimes that’s a good approach too).

In this case, though, the Government was very interested.  After a serious investigation by the Department of Justice, the US Attorneys office in Buffalo, the State of New York and 18 other states, Cisco settled for $8.6 million. James stands to gain 15 to 25% of that – thanks to the qui tam provisions of the False Claims Act.

The Flaw in Cisco’s Software

The security vulnerability James identified would reportedly let hackers with just a moderate skill level take over not only the system running the video surveillance software, but also the underlying networks and systems hosting or connected to the video system.  In my own, non-techie way, I imagine a hacker exploiting the vulnerability could look something like this (spoiler: its the traffic camera hack scene from the movie “The Italian Job”).

Cisco should have been particularly sensitive to the risks of this sort of vulnerability. In 2001, Cisco’s own network was hit by a virus due to vulnerabilities created by the flawed implementation of a digital camera / video management system.

Cisco’s Response

In its press responses, Cisco has argued “There was no allegation or evidence that any unauthorized access to customers’ video occurred as a result of the architecture.”

Fair enough.  But the point is, with this sort of vulnerability, you might never learn that your system was hacked. With the type of access this flaw made available, a hacker could delete logs, change files, and otherwise cover their tracks. So the fact that exploitation has not been reported, does not mean it didn’t happen.

Purple Tunnel of Doom

Reportedly (by Cisco itself) the flawed Cisco software was used during President Obama’s January 20, 2009 inauguration. Which makes me wonder: Was all that time I spent stuck in the #purpletunnelofdoom the product of some crafty hacker’s prank?