I know, this is and old topic... Not so new as WPS implementation flaw but still interesting!
As far as I have understood, this vulnerability let an insider (someone who have the right creds) encrypt broadcast/multicast packets with common GTK, bypassing all the controls imposed by the AP/Router/IDS/IPS and should, at least in theory, permit ARP poisoning in a very stealthy way (and so many other things you can imagine).

Since I haven't found any tool implementing this, someone has done some research in this topic? Have you found or done something?

If no tool exists, it would be so much fun trying to create something!

(Don't know if this is the right section for a topic like that, if not please move and sorry Admin!!)