So we’ve come across a problem with the auto-provisioning when using the GAPS service.
ANYONE on the planet with a grandstream MAC can find the initial GAPS config by visiting the GAPS URL and obtaining the bootstrap XML for a device… This XML contains the decryption key (P1359) for the configuration as well as the location of the server (P237) and type of connection (P212)…
With that information anyone can now download the configuration file from our config server and use the decryption key to decode the config. This will provide the person with the Admin GUI password as well as all the SIP account credentials for the device.
Is there any way to prevent this?
Testing the HTTP User-Agent string on the server won’t work as it is very easy to fake the correct value.