[motohagiography]

There may or may not have been an RF embedded vendor who just added an xor of any password key you gave it to itself, so that you could turn encryption "on" and add a password and it would "just work" with every other device because they all ostensibly encrypted traffic with a key that was a string of zeroes.

Another hypothetical vendor may have claimed to use 128-bit AES, where it would take a config password, encrypt it with AES, and then xor each packet payload of RF traffic with the bytes from that ciphertext. This was when SDRs and anything that could intercept FHSS traffic cost over $10k so nobody really noticed.

My skills were lame by most standards, and if this is getting attention now, we can expect some really funny conference talks in the next few years and there are some careers to be made on breaking implementations in this relative backwater. The hardest part at the time was extracting the bootloader firmware dump via an open jtag, but most of the firmware images were available via ftp, and the tools for that today are just amazing compared to the 00's.