Current "best practice" recommendations for enterprise wireless deployments suggest the use of VPNs from a wireless client for both authentication and privacy. In this paper, we demonstrate a security issue with such deployments, which we refer to as the hidden wireless router vulnerability. This vulnerability is inherent in the VPN-based wireless LAN architecture, and leads to unsuspecting clients becoming conduits for an attack, exploiting features readily available in popular operating systems like Windows(TM) and Linux. We describe the attack scenario, and possible solutions for, both detecting and locating such hidden wireless routers. Our solutions include a range of possibilities stretching from purely passive to active probing methods, and Access Point-based solutions. We describe our techniques and results of our implementation and experiments.
