This MAC address is easily discoverable using a simple wireless packet sniffer such as Kismet. The vulnerability was discovered and published by a guy choosing to call himself Paul, which goes to show that not everyone is in the business for the cash or the fame.
What this vulnerability does (once found) is to give remote attackers zero-effort access to affected customers’ WLANs and to their Internet connections – not that WEP security isn’t easily crackable in the first place, but there’s a difference between “minimal effort” (half an hour tops with a weak computer) and “no effort”, the same that exists in a burglar’s mind between “standard Yale lock – closed – on the patio door” and “patio door slightly ajar”.
Devices and bits of software designed to be insecure by default are a big problem we’re all facing – the added cost of some security, in this case, would have been effectively nil – the router software could’ve chosen key at (pseudo)-random and would have been just as insecure as any other WEP user, or could’ve used WPA2, for the same marginal cost of ~0.0 USD. That the router manufacturer chose not to do so is a vivid illustration of the principle that the costs of failed security should be borne at least in part by those who’ve implemented the faulty security in the first place.
Due dilligence already has its firmly established place in the business world at large. Why not in the security industry as well?