A lack of security on WeWork‘s WiFi network has left sensitive user data exposed.
In August, Fast Company revealed that WeWork had used the same WiFi password at many of its rentable shared co-working spaces for years, a password that appears in plain text on WeWork’s app.
The security of the real estate company’s WiFi came under further criticism yesterday when CNET reported that the network’s poor security had left sensitive data of WeWork users exposed.
Evidence of the exposure was provided by Teemu Airamo, who has been routinely running security scans on WeWork’s WiFi network since May 2015. Airamo’s scans, which were reviewed by CNET, show nearly 700 devices, including servers, computers, and connected appliances, leaking bank account credentials, email addresses, ID scans, and client databases, among other data.
Airamo said that multiple attempts made by him to alert WeWork’s upper management to the security problem were met with indifference.
WeWork has around 527,000 members renting out its 833 spaces in 125 cities around the world. The company filed for an initial public offering (IPO) in 2018. However, earlier this week the IPO was postponed until the end of the year after the company’s reported valuation fell from $47 billion to under $20 billion.
A spokesperson for WeWork said: “WeWork takes the security and privacy of our members seriously, and we are committed to protecting our members from digital and physical threats. In addition to our standard WeWork network, we offer members the option to elect various enhanced security features, such as a private VLAN, a private SSID, or a dedicated end-to-end physical network stack.
“We are in a quiet period and can’t comment beyond this statement.”
Commenting on this report, Craig Young, computer security researcher for Tripwire’s Vulnerability and Exposure Research Team, said: “For the most part, as people connect to networks with shared passphrases, they are opening their devices up to be tricked onto a rogue wireless network where the attacker can connect to exposed file sharing services and tamper with connections to load fake websites.
“My recommendation for concerned WeWork customers is to set up a VPN for their own private use.”
Source: Infosecurity Magazine