Abusing Wi-Fi to localize someone's devices inside their room. Attacker spoofs beacons to pretend there's buffered traffic for all clients. Every clients will request this traffic and thereby reveal their MAC address. Fake frames are sent to the victim and the time-of-flight of the response (here the response is an acknowledgement frame) is used for localization

Free PDF access: https://randompaper1234.tiiny.site/
Official paper website: https://dl.acm.org/doi/abs/10.1145/3495243.3560530

This can be done from cheap drones. They used an ultra-light DJI mini 2 drone with two lightweight Wi-Fi chips: an ESP8266 & ESP32. Idea is that you can now "look inside a room" and learn where devices are located. For instance, you can learn the location of Wi-Fi security cameras.