I think the poster may have meant WLAN admin mode. The APs I run all have admin mode disabled for WLAN interface and WAN interfaces. This reduces the attack vector to systems on the LAN interfaces.

If they're in that far - you're pretty much screwed.

Also, infected router doesn't need to store firmware for many types - it could retrieve it from a centrally managed server "on demand" to infect systems.

All this bug really needs is a system to detect adjacent access points (many APs have this feature today) - scan the AP to detect kind and determine if it is one that it can compromise - fetch the applicable 3rd party firmware and then load it.

I would imagine that most clueless users (the ones who would put up a router with default config unsecured) would notice their system has been stung.

Owning their router would allow a remote packet sniffer to be run or optionally set up a packet mirror thru a vpn tunnel to a listening post. Could also use owned router to launch directed attack at local systems on LAN, as many users think the router is a full featured firewall that protects them from all the badness on the other side.

Pretty interesting research.