What’s the impact of sending fake probe packets? Will a device table in the AP overflow? What’s the usual behaviour then?
Do tracking systems even operate like typical APs? Or is it just dumping packets into a log file? I don’t see any mention of actually testing this against a real tracking system and measuring the effect.
Indeed that would make more sense. The evaluation is done in a central place anyway. So maybe it is just a long trail of time series data and something else extracts movement patterns or similar from that.
Nothing out of the ordinary should happen, unless the AP has implementation bugs.
OpenBSD had a bug a long time ago where the “node cache” (which you call device table) was never cleared once full. It eventually stopped accepting new clients.
Back in the day you could crash APs this way, since they figured there would never be more than e.g. 1024 devices in range in a given window and didn’t do bounds checking. But this has been known for many years, so I hope most APs now have the “correct” behavior, which is usually just to drop devices in LRU order. You can still probably boot legitimate users from the network, but there are other, easier ways to do that.
In similar vein https://ahprojects.com/projects/skylift/