Any decent sniffer (e.g. airsnort) can immediately identify all associations between all WiFi/Bluetooth devices. DD-WRT (router firmware/OS) has this WiFi-associations detector built-in ("local WiFi map"). There is no need to attempt any sort of hack — associations are publicly-broadcast information.
Then, just pick any authorized MAC and duplicate as your own.
It's not just a guess.
Any decent sniffer (e.g. airsnort) can immediately identify all associations between all WiFi/Bluetooth devices. DD-WRT (router firmware/OS) has this WiFi-associations detector built-in ("local WiFi map"). There is no need to attempt any sort of hack — associations are publicly-broadcast information.
Then, just pick any authorized MAC and duplicate as your own.
The MAC addresses of all the Wi-Fi clients are broadcasted in plain radio format all over the 2.4GHz. It is trivial.
It's in managmenet frames that you can sniff.
Does wpa3 pmf fix this particular issue?
This isn't considered "broken" — it's part of how WiFi works/associates.