[titzer]

What I gathered from my quick scan of their PDF:

An attacker can trigger a dissociation between the device and the access point. The dissociation causes the device to zero its temporary encryption key called the TK (transient key), which is the key used to encrypt traffic between the device and the access point. Unfortunately, some data frames still on the device could then be encrypted with this zero key and sent anyway. Because the key is known to be zero, the attacker can decrypt these few data frames (a couple of kilobytes) trivially. Since the attacker can trigger this at will, they can leak an unbounded amount of data.

It's essentially a race condition in hardware between clearing keys and finishing sending off the last few packets inside the transmission buffer. Nasty!

This is going to require you to patch your firmware.

[dfox]

The fact that attacker can cause dissociation is separate vulnerability slash wifi design decision. Detecting active attackers doing exactly that is in fact (literal) text book example of what statistical IDS does. The question of what exactly you are going to do if you detect such an attacker is unfortunately another matter.

Edit to add: this vulnerability essentially upgrades a class of well-known DoS attacks against WiFi networks to potential data exfiltration. On the other hand I feel like that intentionally exploiting this combination for data exfiltration by actively causing disassociations is not exactly practical attack, because you are going to cause significant disruption to operation of the network, ie. the target users are just going to give up and complain that the network is broken.