[evgen]

Also worth nothing that the attack in the OP is on TKIP, but the KRACK attack that will be revealed tomorrow is based upon problems with the RNG (the example RNG, which apparently everyone used, is trivial to break and the protocol is also kind enough to provide you with a huge chunk of the entropy used in seeding the RNG. D'oh!)

[mschuster91]

This comment should be made the top comment. Thanks for the information.

I guess this implies not "only" passive eavesdropping but also network access in environments without a MAC address filter (not that these can't be spoofed regardless)?

[sengork]

Spoofed yes but they're hard to guess in advance without prior knowledge of the device's MAC address.

[djrogers]

MAC addresses are broadcast in the clear regularly, so any device doing that without some randomization is ripe for the picking.

[willstrafach]

Worth noting also: You vannot randomize it when connected to a Wi-Fi network.