When Teemu Airamo moved into his company’s new Manhattan office in shared workspace provider WeWork, he had one overriding priority: to run a security scan on the building’s Wi-Fi network. After all, he shared a space with more than 200 companies also co-working in the Financial District hub and didn’t want anyone snooping around.
It was May 2015, and Airamo’s digital media company was working with contracts and sensitive documents. He couldn’t afford to get hacked. So when he saw hundreds of other companies’ devices and financial records completely visible on the building’s network, Airamo was stunned.
“For me, it was pretty much, ‘Holy shit,”https://www.cnet.com/” he said. He recalled immediately going to the WeWork community manager and showing the security vulnerabilities affecting all the people in that building.
“I said, ‘Did you know that we can actually see all this?’ he recalled. “The answer was, ‘yeah, eh.”https://www.cnet.com/”
More than four years later, and multiple attempts to contact WeWork, including its upper management, nothing has changed. Airamo knows this because he routinely runs Wi-Fi scans on the WeWork network and finds financial records, business transactions, client databases and emails from companies surrounding his office.
CNET reviewed the scans, where 658 devices, including computers, servers and coffee machines were exposed on WeWork’s network, spilling out an “astronomical amount” of data.
The vulnerable nature of WeWork’s Wi-Fi security, first brought to light by a Fast Company report in August, comes at an awkward time for WeWork, which on Tuesday postponed its planned initial public offering amid investor questions about its value. It also underscores one of the downsides of the growing popularity of shared workspaces and sharing your Wi-Fi network with others.
Public Wi-Fi has always been a security concern, and it’s why people advise against going on the open networks at hotels, cafes and airports. But the stakes are much higher when it’s networks on co-working spaces like WeWork, where hundreds of businesses pay for and rely on the building’s amenities, which include internet access.
On WeWork’s website, “super-fast internet” is the first amenity listed, but security isn’t mentioned anywhere. Making matters worse, multiple locations across WeWork’s massive landscape use the exact same password for its Wi-Fi network.
“If you’re on an open network, that information could be leaking out there,” said Mike Spicer, chief technology officer at MerchGo and a security researcher who spent years monitoring open Wi-Fi networks at hacker conferences. “It’s basically open for the picking for anybody who’s in range to see that data.”
WeWork couldn’t go into details about Airamo’s complaint, citing the government-mandated quiet period around its pending IPO. But it offered up a blanket defense of its security policy.
“WeWork takes the security and privacy of our members seriously and we are committed to protecting our members from digital and physical threats,” a WeWork spokeswoman said in a statement. “In addition to our standard WeWork network, we offer members the option to elect various enhanced security features, such as a private VLAN, a private SSID or a dedicated end-to-end physical network stack.”
WeWork’s higher security measures aren’t free. The private VLAN costs an additional $95 a month with a $250 setup fee. A private office network costs $195 a month, according to the company’s website.
Critics argue that the protection should be included.
“It’s a reasonable thing to provide a person a baseline level of security included in the package,” Spicer said.
WeWork is a real estate company that has exploded in popularity by renting out shared office spaces for startups and other businesses. It has more than 833 locations in 125 cities around the world, according to its website.
The company, which filed for its IPO in 2018 and boasted a valuation of $47 billion at one point, has more than 527,000 members renting out its spaces.
It’s that shared working space that presents a security threat through its Wi-Fi network.
The password appears in plain text on WeWork’s app, as Airamo showed CNET, and it’s almost as bad as using the word “password” itself.
He also showed several WeWork locations around New York using the same password and found the same issues at offices in California.
Corporate IT security staff are always concerned about insider threats — that is, an employee in the building stealing company data. But with a co-working space like WeWork, anybody can become an insider.
While WeWork is mostly used by members, anyone can book a day pass for about $50 a day or a conference room for $25 an hour. That would be all a potential hacker needs to get in the building and the Wi-Fi password.
“There’s hundreds of people coming in and out every single day,” Airamo said.
All they would need is Wi-Fi-sniffing equipment, like a Pineapple, or software like Wireshark to gather the data. And there’s nothing on WeWork’s network security preventing that — no firewall blocking rogue activity or separating networks.
Airamo has run occasional scans on WeWork’s Wi-Fi network to see if any security measures ever changed, or if the other tenants working there used better protection methods.
Each time, he would see troves of sensitive data exposed on the network, without any safety measures beyond WeWork’s easy-to-crack password.
Airamo said that he didn’t have any ulterior motives when findings these documents but noted that it was so simple that a malicious hacker could easily do the same. He’s urging WeWork to fix these security vulnerabilities.
“We’ve approached a number of times the people at WeWork on how to actually solve this issue,” Airamo said. “The first initial community manager in 2015 completely denied flat out that this was a problem.”
Files shared on the exposed network included scans of people’s driver’s licenses, passports, job applications, bank account usernames and passwords, contracts, financial documents, lawsuits and health records.
“There’s happenings of all kinds in the building, financial companies, companies left and right in different industries,” Airamo said. “We have, inside this building, a number of financial companies, we have legal companies, and we have some random telemarketers.”
Not all the files shared on WeWork’s network are sensitive records. Airamo also saw documents like graduation photos and a birthday card with Nicolas Cage edited to look like a cat.
But for documents that are sensitive, the security issue presents a major risk for anyone working in the shared office space. It also affects companies that never stepped foot in WeWork but interacted with startups based there.
Two loan companies had sensitive documents leaked on WeWork’s Wi-Fi network, despite having their own offices in California and New York. One of the firms declined to comment, while the other firm didn’t respond to requests for comment. CNET has withheld their names as sensitive documents with bank account credentials are still exposed on WeWork’s network.
Axa XL, an insurance company based in Connecticut, also never had an office at WeWork, but it had internal documents exposed through the building’s network — likely from a startup working with the company.
“We have a rigorous vendor management program in place that includes vetting cybersecurity protocols,” Axa XL said in a statement. “Effective cyber security requires continuous improvements and we are reviewing this matter.”
Hanover Search Group, a UK-based executive recruitment company, has a branch in New York based in a WeWork facility and also had documents like curricula vitae exposed on the building’s network. The company declined to comment.
After Airamo discovered the security issues on WeWork’s Wi-Fi, he started using VPNs to keep his data safe from other potential snoops.
But there were downsides to that security measure. His company, Viveca Media, was regularly streaming songs and music videos, and the VPN considerably slowed down his internet speed. After three years of using a VPN, Airamo decided to find an alternative.
He customized a Raspberry Pi computer to route all his network traffic, and the data is authenticated through a blockchain ID. He’s published a white paper on how the encryption works but said he doesn’t intend on selling the system yet. For now, he’s focused on his media company, and the security router is just for in-house use, Airamo said.
“It’s just convenient for us, this is what we need in order to get the work done. It’s not something we actually do as a company,” he said.
If you’re working at a WeWork, you could use a VPN to keep your data safe. But if you can’t deal with slower internet, there are other potential fixes out there. The best options come from WeWork itself — if you’re willing to foot the bill.
Some hotels use wireless client isolation so its guests aren’t able to spy on every single person staying there. Essentially, it prevents people on the same Wi-Fi network from being able to see each other’s activity. WeWork is capable of providing that, but it only offers security as an additional cost. This is on top of the $720 monthly fee for a one-person office in New York.
MerchGo’s Spicer has configured client isolation before, and most of the time, it’s a pretty simple task. “Usually, it’s quite trivial with a setting in the control software to isolate client devices from intercommunicating on the local network,” he said.
WeWork could also set up firewalls to block Wi-Fi scanning activities, said Sanyam Jain, an independent security researcher and member of the GDI Foundation.
“A Wi-Fi firewall can continuously watch for rogue traffic and automatically disconnect any new access points,” Jain said. “Instead of depending on employees to use Wi-Fi safely, a Wi-Fi firewall can disrupt non-compliant sessions to prevent confidential data disclosure.”
Another easy fix would be making different passwords for each WeWork location.
The potential fixes would put the security burden on WeWork, rather than the thousands of people who use its network every day. For a young, eager startup, there’s already enough going on without worrying about the integrity of their data.
“Every co-location is minding their business,” Airamo said. “They are focusing on how to run their business, and they don’t even think that somebody else can see what they’re working on.”