IP Redirection

Alternately, we can avoid the timing issue altogether:
The adversary joins the network (authentication spoofing)
He takes the packet to be decrypted, and modifies it (message modification) so that the IP address of a machine he controls (somewhere on the Internet) is the destination
He transmits the modified packet to the base station, which will decrypt it, and send the plaintext on its merry way, straight to the adversary's machine
There are issues with getting the IP header checksum correct, but it turns out those are fairly easy to solve
The adversary may need to play other IP header games to get the packet out through a firewall