What you describe could occur with a LaserWriter 16/600 PS with a pre-v3.0 IOP ROM which had a known bug. The LaserWriter 16/600 PS failed to check the BOOTP transaction ID and incorrectly accepted a broadcast BOOTP reply intended for another device, which should not occur to a LaserWriter 12/640 PS. The LaserWriter 12/640 PS was tested and confirmed to properly reject broadcast BOOTP packets not intended for itself.
Assuming there are no BOOTP or RARP servers on the network, an address could be acquired through ping assignment, but only a correct assignment because the LaserWriter 12/640 PS will not accept IP addresses through broadcast multicast ICMP echo requests.
It is possible a corrupt ARP table could cause an ICMP request to be generated that would cause the printer to accept the address. However, in order for this to occur the ARP table would have to associate the printer's correct 48-bit Ethernet address with the to-be-stolen IP address of another device which seems unlikely.
Based on the known characteristics of the LaserWriter 12/640 PS, Apple believes it is far more probable that the printer was inadvertently assigned an incorrect IP address through any method specified in the manual without the administrators knowledge.
Should the LaserWriter 12/640 PS retain IP addresses obtained through BOOTP or RARP when restarted? For more information please refer to Tech Info Library article #22217: "
LaserWriter 12/640 PS: IP Address Reads 0.0.0.0."
One way the printer could be perceived to steal IP addressees is as follows:
1. The administrator assigns an IP address to the printer through BOOTP or RARP.
2. The printer is restarted and stores the address in non-volatile memory.
3. The administrator decides to remove the printer from IP by removing the printer from the BOOTP or RARP server.