I have a question on DMVPN solutions where device is already configured with a preshared key and expected to be a part of a network once the device is fired up.
Now what if this device (e.g. router) is stolen and plugged to the Internet? I believe it will establish a connection with a hub router because preshared keys, DMVPN config are matching and is there a solution to prevent this?
I know it is a physical security question however I need to consider this rare scenario.
The solution for that problem is to use digital certificates which is a best-practice for DMVPN. For that you can also use an IOS-router as a CA-server.
If you decide against certificates, the you can at least use PSK-encryption. That doesn't help against stolen devices, but helps against rouge spokes when someone can get the client-config.
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
The most scalable way is to use a PKI infrastructure. If a device get stolen, then the network admin would revoke the certificate and publish a new CRL [ Certificate Revokation List].
As soon the stolen device try to reconnect to the hub, the hub will terminate the connection due to certification validation failure.
That's the best practice.