Rather than having the TCP/IP address stored in non-volatile ROM, some X terminals broadcast a RARP packet, asking that a server system tell them what their address should be. The first host to respond can set the terminal's address to anything.
This allows a malicious system manager to disable X terminals, or to cause the user to execute a fake login program, revealing their password.