Fresh reports have uncovered how poorly-protected shared WiFi networks provided by shared workspace company WeWork leaked an “astronomical amount” of private data as well as sensitive company information to third parties.
WeWork offers shared workspaces to established companies, startups, and sole proprietors in 125 cities around the world, allowing them to save occupancy cost and enjoy various advantages such as high-quality workspaces, cost-sharing, and shared WiFi networks.
However, Teemu Airamo, who has been working at a WeWork location in Manhattan for years, recently told CNET that the shared WiFi network provided by the company in his building is so poorly secured that by running a security scan on the building's Wi-Fi network, he has been able to view financial records and devices owned by hundreds of companies that also use the network.
"There's happenings of all kinds in the building, financial companies, companies left and right in different industries. We have, inside this building, a number of financial companies, we have legal companies, and we have some random telemarketers," he said.
Airamo said that WeWork has not strengthened the security of the WiFi network in the past four years even though he raised the issue with the WeWork community manager and made multiple attempts to contact the company.
According to CNET, a security scan of the WiFi network at Airamo's building in Manhattan's Financial District hub reveals not only financial records, business transactions, client databases and emails from companies, but also "658 devices, including computers, servers and coffee machines" owned by such companies.
WeWork charges extra for providing baseline security in WiFi networks
When contacted, a WeWork spokeswoman said that the company offers all of its members the option to elect various enhanced security features, such as a private VLAN, a private SSID or a dedicated end-to-end physical network stack in addition to the standard WeWork network.
However, all of these security features are not available for free for companies that set up shop in WeWork's locations. For example, a Private VLAN offered by the company costs $95 per month (£76.73), a private office network costs $195 per month (£157.50), and the company also charges a one-time fee of $250 ( £202) for setting up Private VLAN, Static IP, and Managed Switch.
While Mike Spicer, chief technology officer at MerchGo, said that WeWork should provide "a baseline level of security included in the package", Jonathan Knudsen, senior security strategist at Synopsys, told TEISS that while many organisations rely on upstream organisations and providers to "take care of security", ultimately each organisation must take control of their own risk.
"Users must realise that shared Wi-Fi networks do very little in the way of assurance about confidentiality. Standard controls such as VPNs or always-TLS connections can help mitigate risk, just as using these same controls on the open internet helps reduce risk.
"Organisations should be proactive in defining and implementing a software security strategy. It's surprisingly easy to get started. Without a security initiative in place, your organisation's risk depends on vendors, suppliers, and the vicissitudes of fate," he added.
Tony Pepper, CEO of software security solutions provider Egress, told Verdict that real-estate-as-a-service doesn’t automatically give strong IT-security-as-a-service and start-ups need to appreciate that universally shared networks just aren’t secure let alone compliant to the myriad of data handling regulations they face.
"The risks of leakage files, emails, intellectual property, HR data, and customer data that are easily exploited in the wrong hands is huge," he added.