I don't get how this works without the PSK...
for the pairwise transient key. That's established in Handshake 2. Replaying 3 would allow you to mess around with the group temporal key, which is for multicast and broadcast packets. So apart from the Android bug which sets the encryption key to all zeroes, this is of limited value, surely. And in the video the guy talks about not wanting the Android to connect to the genuine network, but he needs that to happen in order to capture the packet for the replay attack. The MAIC proves that both parties know the PSK, so you need that. You also need to do a bit of MAC cloning too.
Or am I missing something?
Biting the hand that feeds IT
