The public WiFi network of any hotel, coffee shop or similar business should be expected to have some basic WiFi security elements in place. It should have a firewall that separates the devices and internet traffic of guests from each other, and often it will have some automated security elements in place that disconnect the sessions of users who appear to be trying to circumvent it.
The network that WeWork has been running since it was founded in 2010 appears to have never had these fundamental WiFi security elements in place. The co-working company operates in the world’s biggest cities, often based in the financial districts and business centers. Its clients tend to include companies handling all sorts of sensitive financial and business information. It appears that all of that information has been sitting open to anyone with the local WeWork network password for some years now.
The WeWork public WiFi breach
The documentation of this WiFi security breach began in mid-2015, when MMI Broadcasting moved into a workspace in one of WeWork’s Manhattan locations. Founder Teemu Airamo immediately scanned the WiFi network provided to the location’s 200 tenants to make sure it was secure. What he found was the documents of his neighbors, including financial records, sitting open for anyone to grab.
Airamo claimed in an interview with CNet that he took the issue to the building manager, who indicated that they were not only aware of it but didn’t much care about it and didn’t plan on doing anything.
Airamo stuck with WeWork in spite of this, but paid out of pocket for enhanced WiFi security for his company including VPNs and his own custom encrypted router. Given that most of WeWork’s tenants do not have permanent office space in the building, the company primarily sells itself on amenities like its WiFi. WeWork offers enhanced security options such as a private VLAN, but they come with substantial added setup and ongoing monthly fees.
Airamo has periodically run checks on his office network since then, and has checked other WeWork locations in New York and in California. He claims that each time he has found private documents exposed on the devices of other tenants connected to the WiFi. He documented a number of his scans and brought them to CNet reporters to verify his claims.
The documents show that 658 devices connected to the WeWork WiFi have been exposed, from computer and phones to Internet of Things devices like smart coffee machines. Airamo found client databases, financial records, emails, scans of driver’s licenses and passports, login information for bank accounts, medical records and legal documents among other highly sensitive pieces of information.
The WiFi security issue is compounded by poor password security, highlighted by a Fast Company report in August. Anyone can pay as little as $25 to get temporary access to a WeWork space, and they’ll be given the WiFi password along with it. They may not even need to scrape up $25, however. The Fast Company and CNet reports both indicate that WeWork’s 833 locations often share the same password and do not change it frequently. Though it does not name any passwords, the Fast Company report characterizes them as “laughable” and something that is easy to guess, let alone brute force using a basic list of very common logins.
WeWork claimed they could not comment in detail on the issue due to being in a pre-IPO “quiet period”, but issued the following statement:
“WeWork takes the security and privacy of our members seriously and we are committed to protecting our members from digital and physical threats. In addition to our standard WeWork network, we offer members the option to elect various enhanced security features, such as a private VLAN, a private SSID or a dedicated end-to-end physical network stack.”
Fallout from the WeWork WiFi security hole
Given that this has been going on for years now (likely since the company launched in 2010) and at so many locations in so many global centers of business, it is safe to assume that some sort of threat actors have noticed this vulnerability and exploited it.
This means that not only are the companies renting space from a WeWork location at risk, but also any other companies that have employed them as a vendor and shared sensitive data with them. For example, Cnet reports that an insurance company from Connecticut called Axa XL had sensitive internal documents exposed in the records provided by Airamo. Axa XL has never been a WeWork tenant or client, but apparently did business with someone in Manhattan that was.
There is also no indication that WeWork has addressed the WiFi security issue at this time, so if threat actors didn’t know about it before they certainly do now.
This news broke at a very inopportune time for WeWork. The company had already opted to postpone its IPO last week due to questions about its valuation and leadership. Longtime CEO and co-founder Adam Neumann stepped down amidst questions about his personal financial involvement with the company. The company’s IPO filings also revealed that it had taken losses equal to $1.6 billion of its total $1.8 billion of revenue, most of that going to location operating expenses.
How secure is public WiFi, really?
The biggest threat to security-conscious WeWork customers is from a man-in-the-middle attack (via something like a pineapple). As Craig Young, computer security researcher for Tripwire’s Vulnerability and Exposure Research Team, points out:
“The practice of WeWork using shared WPA2 passphrases across many users in many locations is in many ways no more dangerous than working from a Starbucks or a hotel.
Unfortunately, proposed standards which have aimed at allowing devices to verify legitimate networks have not caught on. For the most part, as people connect to networks with shared passphrases, they are opening their devices up to be tricked onto a rogue wireless network where the attacker can connect to exposed file sharing services and tamper with connections to load fake web sites.
“One way to mitigate this risk is to configure devices to require a secured VPN client, but this also comes with its own risks. My recommendation for concerned WeWork customers is to setup a VPN for their own private use. There are great options available for configuring your own VPN service via algo: https://github.com/trailofbits/algo.”
Though the news coverage of the WeWork incident tends to phrase things as if all internet traffic and device contents were automatically visible over the network, that isn’t how things work. Computers and devices nearly always able you to restrict access from other devices on the local network; for example, the more recent versions of Windows automatically prompt you to enable or disable sharing when connecting to new networks. And internet traffic would be encrypted and relatively secure (exposing only which addresses are visited and when) if conducted over https:// connections.
The amount of devices with exposed files that Airamo found can probably be chalked up to a combination of WeWork clients leaving their devices open on the network for inter-office sharing, and misplaced trust in an office system that they assumed to be secure. This is not to say that WeWork should be let off the hook; it’s fair for their customers to assume that their WiFi security is at least at the level of the average chain hotel or coffee shop, and in an office clients should be expected to have a need to share files locally. It’s also quite fair to question why they offer members the option of premium security products while the standard WeWork network is left virtually unsecured.