L-ReCon
L-ReCon is a piece of software that can be installed on home routers and dedicated devices (e.g., Raspberry Pi), to analyze the network sent over the Internet from any connected devices (e.g., mobile phones and IoT devices).
The current status of this tool is alpha, which means that is intended as a proof-for-concept for experts in the field, and not for production use. The latest version of L-ReCon is currently downloadable from the following link:
Download L-ReCon
Size: 793 MiB. MD5: b44a66b1c95b03e0072f3947e8ad4cde
LICENSE: Apache License v2.0
The software distribution above contains all the files needed to compile, install, and run L-ReCon. The license of our code is GNU General Public License 3.0, third party components are licensed differently. An installation guide is available in the remainder of this page.
Capabilities
The current capabilities of L-ReCon are the following:
- Compatible with all consumer-grade routers that can run the open source firmware dd-wrt v3.0, have at least 1GB of RAM, an ARMv7 processor running at 1 GHz, and an USB port. Tested model: Netgear Nighthawk X10.
- Compatible with dedicated devices with at least 1GB of RAM and a Linux Raspbian distribution. Tested models include: Raspberry Pi 3.
- Process all outgoing traffic sent over the Internet by devices that are connected to a router or dedicated device running L-ReCon.
- Use Machine Learning to find and reveal Personally Identifiable Information (PII) leaks in the processed traffic without preexisting knowledge of such PII.
- Offer an intuitive web interface to see PII leaked.
- Allow the user to enable or disable TLS interception of traffic using a web interface that provides instructions for Android and iOS.
- If TLS interception is disabled, L-ReCon is totally transparent and will not affect any network functionality. If it is enabled, some protection mechanisms (such as certificate pinning), may prevent some apps from working correctly. In these cases L-ReCon will try to create an exception to avoid intercepting such connections automatically. This will minimize the amount of apps and/or IoT devices that do not work, but will not completely eliminate the problem (e.g., for apps that change frequently their destination IP address).
Software components
L-ReCon software distribution is composed of the following third-party components:
- An archive (lrecon-XXXX-XX-XX.tar.gz) containing a lightweight Debian GNU/Linux ARMv7 distribution for router installation and installation/configuration scripts for dedicated device installation.
- MariaDB database to store PII.
- Tornado web server to provide the configuration and PII visualization interface.
- An Oracle Java 8 distribution to run our Java software to recognize PII using the Machine Learning capabilities offered by the weka library.
- Mitmproxy man-in-the-middle software.
- DNSMasq to capture DHCP events when devices connect.
And the following components developed by us:
- Java-based Machine Learning classifier, which has the network traffic as input, and produces the leaked PII as output, which are inserted into the MariaDB database.
- Machine Learning training data used to tell the classifier how to predict PII data.
- Mitmproxy python scripts to extract the network traffic that is relevant to our analysis and to automatically generate exceptions.
- Mitmproxy modifications to automatically add exceptions for domains that do TLS certificate pinning.
- Python dynamic pages to show PII to users and configure TLS interception through the Tornado web server.
- Event-handling python and bash scripts to capture events of device connection/disconnection (for router installation).
- Installer scripts for dedicated devices installations.
How to build
Our L-ReCon distribution is released as a gzipped-tar archive (l-recon-XXXX-XX-XX.tar.gz) that contains a pre-installed Debian/GNU Linux distribution with L-ReCon scripts and all the needed dependencies.
Most of L-ReCon comes in form of scripts, which can be used and modified as they are without any need to compiled. However, the Machine Learning component is based on Java, which needs to be compiled. Our distribution already provides a binary pre-compiled version of the Machine Learning component together with its source code. However, if a user wants to modify such component, it needs to be rebuilt. To facilitate this operation (which is not needed if the software is not being modified), we have made our Java code compatible with the gradle automatic compilation tool. Gradle automatically downloads all the required libraries, compiles the code, and install the compiled files in the correct locations. The steps to do this are the following:
- Unpack the L-ReCon distribution in any location.
- Open a shell and go to the directory opt/meddle/weka
- Execute: ./gradlew build
- Repack the L-ReCon distribution as a gzipped tarball.
HOW to install and use L-ReCon
Contents:
- Installation guide for dd-wrt routers
- Installation guide for Raspberry Pi
- Quick user guide
- Known bugs and issues
L-ReCon installation guide for dd-wrt routers
What you need:
- A Wi-Fi router with an ARM v7 processor, 1 GB of RAM, and 1 USB port, compatible with dd-wrt. For Example, the Netgear Nighthawk X10 Model R9000
- The latest dd-wrt firmware available for the router, can be downloaded here (we tested version r37405)
- A USB pendrive of minimum 8GB, formatted as EXT4
- The L-ReCon distribution, which can be downloaded from the tools section of this website
Installation steps:
- Install dd-wrt firmware on the router following the firmware upgrade instructions that are specific to your router
- Decompress the content of the L-ReCon distribution inside the USB stick using the following command on a Linux shell in the root directory:
tar zxf l-recon.tar.gz.
This operation will create a USB key that contains all the files that are needed to run L-ReCon.
- Insert the USB stick in the router’s USB port.
- Connect to the web interface of the router (usually http://192.168.1.1) and change the “Router Name” in the Setup/Basic Setup configuration page to “recon.wrt”.
In this operation a different name can be chosen, but in such a case, any instructions that refer to this name also have to be changed accordingly. - Go to “Services/USB” in the configuration page and:
- Enable core USB support, USB storage support, automatic drive mount.
- Run-on-mount script name: /opt/boot-chroot.sh
- Mount this partition to /opt: copy the UUID of the ext4 partition of the USB key (you should be able to see it on the same page)
- Click Save and Apply Settings
This operation is needed to recognize the USB stick and start L-ReCon automatically every time the router starts. - Go to “Services->Services” in the configuration page and put the following line in the “Additional DNSMasq Options” field:
dhcp-script=/opt/opt/meddle/reconwrt/dnsmasq-event.sh
Then Save and apply settings.
This command is needed to have the DHCP server of dd-wrt (called DNSMASQ) notifying L-ReCon for any new connection and then start analyzing it. - Configure any other router option (e.g., Wi-Fi name and password, router accounts, etc.).
Save, Apply settings, and reboot the router with the USB stick inserted. - Wait two minutes for the restart to complete, and L-ReCon is now ready to be used on any device that is connected to the router Wi-Fi or LAN port.
L-ReCon installation guide for Raspberry Pi
What you need:
- A Raspberry Pi 3 or Raspberry Pi 2 with external Wi-Fi module
- An empty SD card with at least 16GB formatted using FAT32 file system and MBR partition table
- The L-ReCon distribution, which can be downloaded from the tools section of this website
Installation steps
- Copy Raspbian NOOBS into the SD card (we tested version 2.9.0)
- Put the SD card into the Raspberry Pi and install Raspbian (we tested the Lite installation).
- Connect the ethernet port of the Raspberry Pi device to a LAN port of any modem or router with Internet connectivity and DHCP support. No configuration is required on the modem/router side.
- Open the console on the Raspberry Pi (you can either use SSH or a keyboard/monitor directly connected to the Raspberry Pi). Default username and password for Raspbian NOOBS is “pi” and “raspberry”.
- If SSH is not enabled, you can enabled it using the raspi-config tool. Using the same tool you can also set the name of the Raspberry Pi to “recon.wrt”. If this is not done, you can use its IP address instead of “recon.wrt” (the default is 192.168.100.1).
- Copy lrecon-XXXX-XX-XX.tar.gz to the directory /home/pi on the Raspberry Pi and then move to such directory:
cd /home/pi - Decompress the content of the L-ReCon distribution:
tar zxf lrecon-XXXX-XX-XX.tar.gz. - Enter the directory opt/meddle/l-recon-pi
cd opt/meddle/l-recon-pi - Execute the setup-master installation script and follow the instructions. It will ask for the pi user password (chosen during Raspbian installation), the name of the Wi-Fi, and the Wi-Fi password.
sudo ./setup-master - Shutdown the Raspberry Pi.
sudo halt - Unplug and replug the Raspberry Pi from its power supply and wait 2 minutes for the restart to complete. After this L-ReCon is now ready to be used on any device that is connected to the Wi-Fi network created above.
L-ReCon quick user guide
Once L-ReCon has been installed and the router or Raspberry Pi device restarted, L-ReCon is automatically active and will be processing all the traffic that is sent from all the devices connected to its Wi-Fi, including mobile phones, laptops, and any IoT devices.
The interaction with L-ReCon happens using a web interface that can be accessed from all the devices connected to the router or Raspberry Pi: http://recon.wrt:8080 (NOTE: http:// in the URL is mandatory). If the router or Raspberry Pi have a different name, you can use such name. The local IP address can also be used (for example http://192.168.1.1:8080 or http://192.168.100.1:8080)
The interface will show on its main screen the list of PII that have been leaked by the same devices visiting the web interface, if any. The same interface also provides a link to activate or disable TLS interception providing guided installation instructions that are automatically customized based on the device that is being connected (e.g., Android, iOS, and the most popular web browsers). The list of PII leaks in the web interface is updated automatically every 30 seconds, but the wait time may be higher depending on the amount of users connected and the CPU speed/RAM of the router/Raspberry Pi.
Known bugs and issues
L-ReCon is alpha software in its early development phase, therefore it has some limitations and known issues. The most important ones are listed here:
- L-ReCon will slow down your connection because all the traffic has to be processed by the router processor.
- L-ReCon will look for PII (including passwords) from the traffic of all devices connected to the router, so can be potentially abused if an unaware victim connects to the Wi-Fi. To limit this problem L-ReCon has TLS interception disabled by default.
- L-ReCon will only show the PII to the device that has shared them. This works for IoT devices companion apps and IoT devices with a web browser. We will add visualization for other IoT devices in future versions.
- Since we released our first version of ReCon in our previous ReCon project, app developers increased the privacy of their applications and/or made more difficult for us to detect privacy leaks, therefore there may be false negatives/positives for recently updated apps.
- Android v7 or higher does not allow by default L-ReCon to use TLS interception for apps that target such platform. There is no way to change this behavior other than rooting the Android device.
- Several apps (such as banking apps, facebook, and other popular apps) do not trust L-ReCon TLS certificates and change their destination address frequently. This prevents them from working correctly when TLS interception is active. To solve this problem L-ReCon whitelistes automatically the domains contacted by such apps, therefore some applications may need several attempts before working correctly.
- When TLS interception is disabled the amount of leaks found is very low since TLS adoption is increasing over time.
Acknowledgments
This work was partially supported by the DHS S&T contract FA8750-17-2-0145 and by an AWS Cloud Credits for Research award.