Secure Auto-provisioning


#1

So we’ve come across a problem with the auto-provisioning when using the GAPS service.

ANYONE on the planet with a grandstream MAC can find the initial GAPS config by visiting the GAPS URL and obtaining the bootstrap XML for a device… This XML contains the decryption key (P1359) for the configuration as well as the location of the server (P237) and type of connection (P212)…

With that information anyone can now download the configuration file from our config server and use the decryption key to decode the config. This will provide the person with the Admin GUI password as well as all the SIP account credentials for the device.

Is there any way to prevent this?

Testing the HTTP User-Agent string on the server won’t work as it is very easy to fake the correct value.


#2

Hi sir, i am struggling with the same problem. I have solved this in the following way:

  1. i am checking the http user-agent (solves the “dumb” attacks")
  2. i use the “legacy binary” format to provision the encryption key
  3. i keep track how often this binary key-file has been downloaded and i only allow that file to be downloaded 1-2 times. So the customer can autoprovision the phone and after that the phone has the key and it can decode the encrypted xml

I hope this is something you can implement in your system. It is security by obscurity, but it is better than nothing i guess.