“Technology is at the foundation of our global platform,” declares the We Company, parent of coworking behemoth WeWork, in the prospectus for its upcoming IPO. With a valuation of $47 billon, the company is certainly priced like a tech giant. And it has lofty visions of using a bevy of sensors, proprietary software, and big data to revolutionize work in ways that go far beyond the mundane business of renting office space to startups.
But the Wi-Fi technology that WeWork provides to its members is based on a shaky foundation, combining dated security tech with an easy-to-guess password shared at locations across the U.S. and abroad. No, we won’t tell you what that password is. But WeWork chose one that has regularly appeared on lists of the worst passwords that anyone can possibly choose.
Newer versions of Wi-Fi security include encryption and authentication safeguards that make the quality of a password less important. WeWork, however, uses a version without these safeguards, originally designed for home Wi-Fi networks and called WPA2 Personal. That’s a dangerous scenario, according to the Wi-Fi Alliance, the body that oversees development and implementation of Wi-Fi standards. “Possession of the password for a WPA2 network provides the added ability to decrypt traffic from any client within range,” writes the Wi-Fi Alliance in an email to Fast Company .
Not only is WeWork’s password easy to guess, but people who know it—including former WeWork customers—can use it at multiple WeWorks in the We Company’s 528-location global network. That makes WeWork’s Wi-Fi nearly as vulnerable to hackers as an open network with no password at all.
A weak, broadly shared password poses a further danger to WeWork clients by facilitating “man-in-the-middle” attacks, according to the Wi-Fi Alliance. A hacker could set up an imposter Wi-Fi network with the same name, “WeWork,” and that same password. WeWork members who inadvertently connected to this imposter network would give the hacker access to their data stream. The fake network could also redirect members to phishing sites, like faux versions of Gmail or a bank, to harvest information like usernames and passwords, as well as the browser cookies used to auto-log them into multiple sites. ( Fast Company has no evidence that any attacks have occurred at WeWork locations.)