L-ReCon

L-ReCon is a piece of software that can be installed on home routers and dedicated devices (e.g.,  Raspberry Pi), to analyze the network sent over the Internet from any connected devices (e.g., mobile phones and IoT devices).

The current status of this tool is alpha, which means that is intended as a proof-for-concept for experts in the field, and not for production use. The latest version of L-ReCon is currently downloadable from the following link:

Download L-ReCon
Last update: October 16, 2018
Size: 793 MiB. MD5: b44a66b1c95b03e0072f3947e8ad4cde

The software distribution above contains all the files needed to compile, install, and run L-ReCon. The license of our code is GNU General Public License 3.0, third party components are licensed differently. An installation guide is available here.

Capabilities

The current capabilities of L-ReCon are the following:

  • Compatible with all consumer-grade routers that can run the open source firmware dd-wrt v3.0, have at least 1GB of RAM, an ARMv7 processor running at 1 GHz, and an USB port. Tested model: Netgear Nighthawk X10.
  • Compatible with dedicated devices with at least 1GB of RAM and a Linux Raspbian distribution. Tested models include: Raspberry Pi 3.
  • Process all outgoing traffic sent over the Internet by devices that are connected to a router or dedicated device running L-ReCon.
  • Use Machine Learning to find and reveal Personally Identifiable Information (PII) leaks in the processed traffic without preexisting knowledge of such PII.
  • Offer an intuitive web interface to see PII leaked.
  • Allow the user to enable or disable TLS interception of traffic using a web interface that provides instructions for Android and iOS.
  • If TLS interception is disabled, L-ReCon is totally transparent and will not affect any network functionality. If it is enabled, some protection mechanisms (such as certificate pinning), may prevent some apps from working correctly. In these cases L-ReCon will try to create an exception to avoid intercepting such connections automatically. This will minimize the amount of apps and/or IoT devices that do not work, but will not completely eliminate the problem (e.g., for apps that change frequently their destination IP address).

Software components

L-ReCon software distribution is composed of the following third-party components:

  • An archive (lrecon-XXXX-XX-XX.tar.gz) containing a lightweight Debian GNU/Linux ARMv7 distribution for router installation and installation/configuration scripts for dedicated device installation.
  • MariaDB database to store PII.
  • Tornado web server to provide the configuration and PII visualization interface.
  • An Oracle Java 8 distribution to run our Java software to recognize PII using the Machine Learning capabilities offered by the weka library.
  • Mitmproxy man-in-the-middle software.
  • DNSMasq to capture DHCP events when devices connect.

And the following components developed by us:

  • Java-based Machine Learning classifier, which has the network traffic as input, and produces the leaked PII as output, which are inserted into the MariaDB database.
  • Machine Learning training data used to tell the classifier how to predict PII data.
  • Mitmproxy python scripts to extract the network traffic that is relevant to our analysis and to automatically generate exceptions.
  • Mitmproxy modifications to automatically add exceptions for domains that do TLS certificate pinning.
  • Python dynamic pages to show PII to users and configure TLS interception through the Tornado web server.
  • Event-handling python and bash scripts to capture events of device connection/disconnection (for router installation).
  • Installer scripts for dedicated devices installations.

How to build

Our L-ReCon distribution is released as a gzipped-tar archive (l-recon-XXXX-XX-XX.tar.gz) that contains a pre-installed Debian/GNU Linux distribution with L-ReCon scripts and all the needed dependencies.

Most of L-ReCon comes in form of scripts, which can be used and modified as they are without any need to compiled. However, the Machine Learning component is based on Java, which needs to be compiled. Our distribution already provides a binary pre-compiled version of the Machine Learning component together with its source code. However, if a user wants to modify such component, it needs to be rebuilt. To facilitate this operation (which is not needed if the software is not being modified), we have made our Java code compatible with the gradle automatic compilation tool. Gradle automatically downloads all the required libraries, compiles the code, and install the compiled files in the correct locations. The steps to do this are the following:

  1. Unpack the L-ReCon distribution in any location.
  2. Open a shell and go to the directory opt/meddle/weka
  3. Execute: ./gradlew build
  4. Repack the L-ReCon distribution as a gzipped tarball.

How to install

Please follow this guide.