It would be just fine, if you knew what you were doing when choosing ECB. I can think of plenty of brain dead ways you could accidentally use it if you thought that AES automatically protected you no matter how you used it.
I'm sure there are vulnerabilities all over the place, but it would make even more sense if it happened to an AES system, because people would let their guard down because super-duper industrial strength encryption will take care of everything.
If the use of ECB is appropriate (which it may well be for this application) then the fact that is was used is not an indication of "brain dead" decision making. I would be much more worried if they made the system unnecessarily complicated (and thus more vulnerable) just because they thought the presence of ECB would be bad for marketing.
> then the fact that is was used is not an indication of "brain dead" decision making.
I didn't mean using it was brain dead, i mean using it without knowing the implications might lead to (accidentally) using it in in a brain dead way. For example, I could see them implementing the protocol and testing it without crypto and then simply adding crypto on top of it without thinking about the crypto portion.
I'm sure there are vulnerabilities all over the place, but it would make even more sense if it happened to an AES system, because people would let their guard down because super-duper industrial strength encryption will take care of everything.