Hole 196

[Andriy Tkachuk]

Hello folks.

Did you hear about this Hole 196? Here -
http://www.networkworld.com/newsletters/wireless/2010/072610wireless1.html

I tried to understand something from it, but sorry - failed. Maybe
someone of you could enlighten what it could be?

In short, they exploit the nature of GTK which does not have protection
against spoofing and data forgery (as it is stated in the note at the
bottom of 196 page in standard). Legally authenticated (but evil) client
begins to forge the group frames as from the AP into the air, but I
don't understand what it may gain from this? How it can get clients PTKs
with this (as they state in the article)? Any idea?

Thank you,
    Andriy