Android: A Second Career in Security?
For security professionals who aren't afraid of a bit of tinkering, old Android phones can be valuable raw materials -- ways to achieve capabilities for little-to-no additional overhead cost. If the need is pressing enough or the budget strapped enough, creative use of old Android devices might very well represent a win for the security team.
04/23/13 5:00 AM PT
Did you know Julia Child was 37 before she learned to cook? It was a full decade later that she first set foot in front of a television camera. Before becoming the phenomenon we all know, she'd already had quite a career: She'd worked as a typist, an advertising copywriter, and later as a researcher in the intelligence community (for which she was awarded a civilian medal).
What's my point? Sometimes it's a mistake to assume something -- or someone -- has outlived its usefulness just because it's already done one thing successfully. This is just as true in an enterprise context as in a personal one. For example, many of us have a wealth of decommissioned corporate-provisioned mobile devices: We've bought them, handed them out, and seen them used successfully for years. Now they're on their way to the great docking station in the sky.
However, because these devices are already off the books -- meaning we've already absorbed their acquisition costs -- adapting them for specific security functions can mean achieving certain goals practically for free. Android devices make particularly good candidates for this: They're open, meaning you can install apps from anywhere; they usually have a built-in camera; they have wireless and cellular capability, as well as GPS; and they can operate via an outlet or a battery.
As a Security Camera
Did you know that Android started as an OS specifically for cameras? It's true -- at least according to Android cofounder Andy Rubin. So we should not be surprised that the platform has very sophisticated camera capabilities. In certain situations, the platform is ideal for a rapidly deployed, low-cost, impromptu security camera.
There are quite a few apps in the Android marketplace that will take a picture or short video when the camera detects motion, and they can be configured to email, SMS, store, or upload that video or picture. Used creatively, these apps -- when installed on a piece of functional Android hardware and appropriately placed -- can temporarily act in lieu of a formal closed-circuit television mechanism -- or supplement or replace one.
For example, they can be configured to capture and upload images to a central directory for later review -- or they can be configured to email images and video to a mailbox set aside for exactly that purpose.
When could this be useful? Consider a small merchant requiring CCTV capability at the point of sale (PCI DSS requirement 9.1.1) or one who wishes to record access to a computer room -- for example, at a remote retail location.
Alternatively, these Android-app loaded devices could be useful as a short-term audit or risk control mechanism -- for example, if you encounter a situation where CCTV could serve as a compensating control to some other issue (such as a physical access control issue).
Granted, CCTV isn't often the first choice as a compensating control -- but this is arguably because of the expense associated with deploying and placing cameras. In a situation when the camera is wireless and can be easily mounted, it opens up a new avenue of discussion when it comes to selection of an appropriate short-duration control.
As a WiFi Sniffer
Another purpose you could adapt Android devices to would be as an impromptu 802.11 protocol analyzer. Because these devices are portable and have WiFi capability, they can be deployed as a mobile or stationary point of detection for rogue access points or misconfigured stations.
Many organizations have large numbers of geographically distributed office locations. For example, brick-and-mortar merchants might have numerous retail locations; restaurant and hotel chains might manage many different properties; and hospitals and health systems might have numerous affiliated clinics.
In this context, "war walking" activities can be cumbersome, requiring personnel either to ship a sensor to remote locations (maybe in "serial" fashion due to limitations acquiring specialized hardware) or perhaps sending staff to those locations directly. Conversely, wireless IDS installations can be expensive across so many locations.
Having a number of small, easily portable devices with innate WiFi detection capability -- like Android phones -- at the ready can alleviate some of this. Tools in the Android marketplace -- for example, farproc's WiFi Analyzer -- can provide information on access points, configuration information, and so forth.
Of course, this is by no means the only tool that can help here -- you can even build your own if you're so inclined -- and it goes without saying that you'll need to pick a device with an appropriately versatile radio, that is, one that covers all versions of 802.11 and frequencies you may be interested in. However, with a bit of planning, you might be surprised at how effective this approach can be.
As a Power 'Canary'
It's not always cost-effective to maintain a generator or UPS for every remote field location, such as sales offices. Yet it would be advantageous to have an inexpensive way to know when and if there's a sudden loss of power in those environments.
Yes, you could buy an expensive UPS that will auto-notify the machines it's connected to -- and thereby, perhaps you -- of an outage, or you could wait for employees to phone it in. With a number of decommissioned Android devices hanging around, though, you may have another option.
Specifically, because old Android phones can run on battery and have built-in out-of-band communications capability (i.e., the cellular network), this means they might be available to give you a heads-up about a power loss when other systems -- and communications pathways, like the network -- are down.
Assuming the site is non-rural enough to have cellular connectivity, one approach might be to give the device a low-cost data plan and have it email you when power has been off for a while -- that is, if it's running off battery longer than a predefined time threshold.
If you want to minimize costs, you might forgo the data plan entirely and have it SMS you instead. Combined with a long-duration or non-expiring prepaid usage-based plan, you can get quite a bit of mileage out of an old phone this way.