[hqsolomo]

Security neophyte here- you are exactly right. It also seems like in this case there was a "default encryption key" and is 100% a part of the problem

[oll3]

I guess the default key is a problem too. Mainly since it might trick developers/manufactures that this somehow makes the key exchange secure if you use it while setting a device unique key.

I do work with OSDP devices and I have heard this argument from manufactures, like "we only support setting a new key while using the default key, it's more secure that way". While it, at best, will just obfuscate the process.

[hqsolomo]

I haven't done enough PKI to call myself "good" at it but I've done enough to shudder any time I hear "hardcoded key"