Plex Media might be best known as the right streaming service to create custom TV channels, but it seems that they serve it can be abused for more harmful purposes. On Thursday, cybersecurity firm Netscout reported that the same custom servers used to host these channels are also used to support denial of service (aka DDoS) attacks – all without Plex customers knowing.
One of the main selling points of Plex is that its customers can set up their own Server Plex on a lot of different devices, then use that server to host your own custom video, photo, or music libraries, and transfer those libraries to other devices. It’s a really handy tool if you want to, say, compile channels with your parent’s favorite shows and then stream those shows directly to their smart TV.
On Netscout, when a particular device running a Plex server starts and connects to the Internet, it will run what is known as the Simple Service Discovery Protocol (or SSDP in short), to search for nearby compatible devices that might want to access any of the juicy content they have. In some cases, when these servers hide via SSDP, they may accidentally end up connecting to a user’s router – and if that router happens to be poorly configured, can transmit information about that SSDP connection to the open web.
Things are getting beautiful precarious here because SSDP connections can generally be quite easy to exploit by bad actors who want to support a certain DDOS attack. You can read the full technical specifications on how this amplification works here, but in short: plug-and-play devices appear on the network and say something to introduce themselves (“Nice to meet you. I’m a wireless thermostat. Here are some neat tricks I can do.”) Normally, the network and the device are known and things are going well. Being a reflection attack, however, an unfortunate person can request a lot of devices to suddenly present themselves at a certain target and, instead of a pleasant meeting, the unhappy recipient becomes deafening.
Netscout said its analysis generated about 27,000 Plex servers currently connected to the web, which can be used for such exploits. In the past, the company has seen these Plex-based attacks send packets of 52 to 281 bytes.. Certainly not the biggest DDoS attack I’ve seen it until late, but when these servers are enough are leveraged in a single attack (or when these servers are operated together with other parts of insecure technology), you can see how it would be enough to do some serious damage.
G / O Media may receive a commission
The company added that since November last year, it has been noticed that these types of Plex attacks have increased. But Plex is certainly not the only vector – in 2020, it actually issued the FBI an alert warning companies that their network connections could be exploited to send such amplified attacks. Just last month, Netscout aired another warning that certain Windows servers could be used to do the same.
We’ve contacted Plex for comments on the Netscout report and we’ll update here when we hear.