Routers have been full of stupidly bad bugs for years; nothing really new here. I recall analyzing one a while back and finding that it used session tokens to determine whether one was logged into the interface. These were derived from the uptime with triple des, but the nonce was a constant string of text and the key was based off of interface mac addresses. One has to wonder, at that point, why do anything at all?
> One has to wonder, at that point, why do anything at all?
Still prevents the most casual attacks; obscurity is sorta technically better than nothing. (Or worse, of course, if it gives the incorrect appearance of actual security...)