Interesting!

This said, isn't it the same kind of attack that a malicious router (on the route between the sender and the receiver) could run? I.e. exploiting a plaintext connection?

It feels like using an encrypted connection like HTTPS prevents it, right?

layer8

If my understanding is correct, it means you can’t really use unencrypted protocols even within an intranet or home network when it is wifi-based, which is kind of a pain due to certificates, and for example DNS typically being unencrypted.

jeroenhd

This attack does require bypassing some network security already. It defeats client isolation but the attacker does need to be on the WiFi network already (according to https://github.com/vanhoefm/macstealer).

AP isolation is usually off for all but big hotspots in my experience. This will be a problem for people using AP isolation for preventing their IoT from connecting to other devices in their network, assuming their IoT is malicious, but other than that the risk seems to be mostly with professional/corporate networks.