Yikes! One would have expected a little more code review or a design review from a hardware manufacturer, especially of security system. A system that people have been worried about since the Pentium FDIV bug.

I guess this one just slipped through the cracks?

Taking "never roll your own" too far.

I feel like using the example key isn’t really the big failure here.

They didn’t need a keyed hash at all, they needed a collision resistant hash.

SHA256 would have eliminated this vuln and it has a hardcoded “key” built into it.

Using a secret key for CMAC would not have been more secure, it would have just meant sophisticated hardware extraction of the key was required before this attack could be mounted.

I suppose the reuse wasn't accidental, but they mistakenly thought the key doesn't matter for CMAC.