It's not a big deal because the Ars Technica summarisation is wrong. You can (and enterprise controllers do in fact) tie IPs and MACs to association IDs (8bit number per client+BSS) and thus prevent this kind of spoofing. I haven't had time to read the paper yet to check what it says on this.

Also client isolation is not considered "needed" in home/SOHO networks because this kind of attack is kinda assumed out of scope; it's not even tried to address this. "If you give people access to your wifi, they can fuck with your wifi devices." This should probably be communicated more clearly, but any claims on this attack re. home networks are junk.

you are definitely correct that it is potentially a big deal because it breaks expectation around network segmentation and isolation

however, most people will read "breaks wi-fi encryption" and assume that it means that someone can launch this attack while wardriving, which they cant.

In addition to equvinox (hey again): In enterprise networks you should rely on 802.1x or what's also valid use case is the use of ipsec to ensure the local client connection is "safe".

Meh. The computers that:

- must not be accessible because their services don't use authentication/encryption

- and share a wifi with potential attackers

is just not that large.

They exist, but the vast majority runs in places that don't care about security all that much.

This should be a signal to fix the two things I mention, not to improve their wifi/firewall security.

Anyone who relies on client isolation was just waiting to get pwned anyway.