In this scenario, you need a protocol gateway between your IoT Hub endpoint and your GPS devices. The protocol gateway translates the protocol used by your devices to a protocol supported by IoT Hub. The Azure IoT Protocol Gateway provides this functionality. It supports hosting the gateway in the cloud or on-premises (as a service fabric cluster).
As for the security aspect of your question, a field/protocol gateway can be either transparent or opaque.
A transparent gateway is one where the device's identity (ie: GPS device) is known by IoT Hub. As you pointed out, this means you need a way to update the device with a token that IoT Hub can use to authenticate and authorize the device. The protocol gateway simply performs protocol transation and passes the identity of the device through.
An opaque gateway is one where the device's identity is not known or managed by IoT Hub. In this scenario, only the identity of the gateway is known by IoT Hub. The token is on the gateway and is used to authenticate and autorize the gateway. To provide authorization capabilities for the GPS devices behind the gateway, you would have to add some code to your backend solution (behind IoT Hub) to do that and your protocol gateway would also have to include a device identifier in the messages to/from IoT Hub. So, the protocol gateway performs protocol translation and some additional logic (message hydration) to include device specific identity for authorization purposes. This is the path you will need to take if you cannot load/update the token to the GPS device.
