“Technology is at the foundation of our global platform,” declares the We Company, parent of coworking behemoth WeWork, in the prospectus for its upcoming IPO. With a valuation of $47 billon, the company is certainly priced like a tech giant. And it has lofty visions of using a bevy of sensors, proprietary software, and big data to revolutionize work in ways that go far beyond the mundane business of renting office space to startups.
But the Wi-Fi technology that WeWork provides to its members is based on a shaky foundation, combining dated security tech with an easy-to-guess password shared at locations across the U.S. and abroad. No, we won’t tell you what that password is. But WeWork chose one that has regularly appeared on lists of the worst passwords that anyone can possibly choose.
Newer versions of Wi-Fi security include encryption and authentication safeguards that make the quality of a password less important. WeWork, however, uses a version without these safeguards, originally designed for home Wi-Fi networks and called WPA2 Personal. That’s a dangerous scenario, according to the Wi-Fi Alliance, the body that oversees development and implementation of Wi-Fi standards. “Possession of the password for a WPA2 network provides the added ability to decrypt traffic from any client within range,” writes the Wi-Fi Alliance in an email to Fast Company.
Not only is WeWork’s password easy to guess, but people who know it—including former WeWork customers—can use it at multiple WeWorks in the We Company’s 528-location global network. That makes WeWork’s Wi-Fi nearly as vulnerable to hackers as an open network with no password at all.
A weak, broadly shared password poses a further danger to WeWork clients by facilitating “man-in-the-middle” attacks, according to the Wi-Fi Alliance. A hacker could set up an imposter Wi-Fi network with the same name, “WeWork,” and that same password. WeWork members who inadvertently connected to this imposter network would give the hacker access to their data stream. The fake network could also redirect members to phishing sites, like faux versions of Gmail or a bank, to harvest information like usernames and passwords, as well as the browser cookies used to auto-log them into multiple sites. (Fast Company has no evidence that any attacks have occurred at WeWork locations.)
From San Francisco to London
Fast Company spot-checked seven WeWork locations in downtown San Francisco, including our own satellite office space at a WeWork in the SOMA neighborhood. They all use the same weak password and WPA2 Personal security. WeWork clients we contacted have reported the same scenario in recent weeks in at least one location each in Los Angeles and near Washington, D.C. Based on passwords saved to their computer or phone from earlier visits to other locations, clients report that the same password has been used at one or more locations in New York City, Chicago, Palo Alto, Austin, and London within the past year. No WeWork member we contacted reported any other passwords in use.
We don’t know if the same password and security tech are used at every WeWork location. A spokesperson declined to answer that question or say how long its weak Wi-Fi password has been in use, citing the quiet period before the We Company’s IPO. But the password has been in use at our San Francisco WeWork since at least March 2017, when we moved in.
If you tried to guess that password, you might well land on it within a few tries. An even easier way to break in would be to use a free password-cracking program like hashcat, says Nate Landon, CEO of Digital Operatives, a security research and engineering firm for private and government clients, including DARPA. These programs automate repeated login attempts using either “brute force” guessing or freely available lists of common and compromised passwords. (For instance, we found WeWork’s choice of Wi-Fi password on a popular list called “rockyou.”)
Landon saw the problem firsthand when his company moved into a WeWork in Tysons Corner, Virginia, in October 2018. As a test, he set up a dummy version of WeWork’s Wi-Fi setup—far from any WeWork offices—and used automated tools to gain access to his test network. “The password cracking took like five seconds,” he says.
Good and bad news
Low-quality Wi-Fi passwords are less dangerous than they once were, thanks to widespread use of encrypted website connections at URLs beginning with “https.” Even if miscreants hop on the WeWork Wi-Fi, they can’t see encrypted data exchanges with the cloud services—like Gmail, Dropbox, Slack, and Salesforce—used by many businesses.
But such encryption doesn’t necessarily protect against man-in-the-middle attacks, in which an imposter network directs users to phishing sites. (Modern browsers may alert the user if the site they are going to appears questionable, but there are also programs that trick browsers into connecting to bogus or insecure sites.) The fact that WeWork uses an easy-to-crack password would ease the work of a bad guy hoping to launch such an attack.
Whether on an imposter network or a genuine (but insecure) one, WeWork members would be vulnerable to dangers beyond skimming web traffic, such as theft of shared files and folders, or even a complete system takeover, says Landon. He gives as a recent example a Windows vulnerability dubbed BlueKeep, which exploits a Windows PC’s remote-access capability.
Landon contacted WeWork’s IT services about the weak Wi-Fi security shortly after Digital Operatives moved into the Tysons Corner location. According to his blog post recounting the interaction, WeWork’s first response was to offer an upsell to a private, secure wireless office network for $195 per month, plus a $250 setup fee.
WeWork expressed a similar message in a statement provided to Fast Company:
WeWork takes the security and privacy of our members seriously and we are committed to protecting our members from digital and physical threats. In addition to our standard WeWork network, we offer members the option to elect various enhanced security features, such as a private VLAN, a private SSID, or a dedicated end-to-end physical network stack.
Those network upgrades would suffice, “as long as you trust that WeWork was going to set that up securely,” says Landon. “I don’t trust that they would do it in a secure manner,” he adds, given WeWork’s track record with its main Wi-Fi network.
When pressed on the issue of security for everyone else, WeWork informed Landon that it planned to introduce a technology called 802.1x to its main Wi-Fi network. The tech verifies the identity of users by asking for additional information unique to them.
Last October, WeWork told Landon that the 802.1x rollout was planned for early 2019, but it still hasn’t been implemented. According to a person familiar with WeWork’s plans, the current goal is to deploy it in the first quarter of 2020.
Locking it down
Even with its current Wi-Fi setup, WeWork could improve security by picking harder-to-guess passwords and using a different password for each location. Periodically changing passwords would also be a good practice. Beyond using better password hygiene, the Wi-Fi Alliance recommends upgrading to new business security standards. WPA3-Enterprise, for instance, drastically slows down the ability of an automated cracker app like hashcat to make rapid, unlimited password guesses.
What can WeWork customers do now to improve security? Digital Operatives’ Landon simply brought his own Wi-Fi routers and plugged them into WeWork’s wired network. That allows the company to use better passwords, encryption, and authentication. It also uses virtual private network (VPN) software, which encrypts all the traffic passing through WeWork’s entire network.
Related: Why you should use a VPN
WeWork clients that don’t rent an office can simply install VPN software on their computers, phones, and tablets. VPN subscriptions run about $3 to $13 per month. (Free offerings may provide limited bandwidth, and some have been known to harvest user data.) There is a baffling selection out there, but CNet has a thorough roundup.
No matter how secure your work Wi-Fi, getting a VPN shields you on other networks with less-than-stellar security—of which there are a great many. It also protects you from snooping ISPs, advertisers, and governments.
Ultimately, we’re all responsible for safeguarding our own security. But the We Company could make the steps it takes to protect WeWork’s networks into a selling point rather than a reason for concern. Its widely panned IPO filing proclaims, “Philosophically, we believe in bringing comfort and happiness to the workplace.” Giving its customers confidence that it isn’t unnecessarily putting their data at risk would be a fine way to fulfill that goal.