WeWork wifi security exposing tenants’ documents

Highly-sensitive information could be accessed by anyone with a day pass.
20 September 2019

Welcome to the ‘data buffet? Source: Shutterstock

The co-working model, as popular as it’s becoming has its pros and cons. 

On the one hand, it might save your business money and foster ‘collaboration’, on the other, it might leave all your company’s highly-sensitive data laying bear, ripe for the picking. 

That has reportedly been the case with WeWork, which— following a rocky month having pushed back its IPO over questions around its proposed value— has been discovered to have been inadvertently exposing hundreds of connected devices on its network.

The investigation by CNET at one of the co-working space’s Manhatten branches found an “astronomical amount” of private data, including emails, financial records, client databases, ID scans, individual’s bank accounts details— in other words, more or less any sensitive data a company is likely to keep. 

According to the head of digital media company Viveca Media, Teemu Airamo, who discovered the issue as a result of due diligence on moving his business into the WeWork outlet, the security flaw has been present for several years despite being repeatedly flagged. 

While there are no ill intentions by the firm, just a big dose of negligence, the investigation revealed an ongoing vulnerability that could have given bad actors access to potentially lucrative data— particularly given that WeWork’s workspace can be accessed by anyone on a day pass.  

“There are happenings of all kinds in the building, financial companies, companies left and right in different industries,” Airamo told CNET. “We have, inside this building, a number of financial companies, we have legal companies, and we have some random telemarketers.”

According to the report, two loan companies in the Manhatten branch had bank account information exposed over the wifi network. 

Responding to the news, WeWork said that it “takes the security and privacy of our members seriously,” and is committed to protecting members from digital threats; it offers members “enhanced security features” such as private VLAN, private SSID, or dedicated end-to-end physical network stack.

However, CNET noted that these additional options come at a fairly hefty cost, with private VLAN comprising a monthly fee of $95 in addition to a setup fee of $250. 

Commenting on the news, Senior Security Strategist at Synopsys, Jonathan Knudsen, told TechHQ that the security vulnerability, while an oversight by WeWork, is also an error on the part of its customers to assume that upstream organizations and providers will “take care of security.” 

“Every organization uses a complex supply of software, hardware, and supplies to run their business, but ultimately each organization must take control of its own risk.

“Users must realize that shared Wi-Fi networks do very little in the way of assurance about confidentiality. Standard controls such as VPNs or always-TLS connections can help mitigate risk, just as using these same controls on the open internet helps reduce risk.

“Without a security initiative in place, your organization’s risk depends on vendors, suppliers, and the vicissitudes of fate.”