Plex Media might be best known as the streaming service suited for creating custom TV channels, but it turns out those servers can be abused for more nefarious purposes. On Thursday, the cybersecurity firm Netscout reported that the same custom servers used to host these channels are also being used to beef up denial of service (aka DDoS) attacks — all without Plex’s customers even knowing.
One of Plex’s main selling points is that its customers are able to set up their own Plex server on a bevy of different devices, and then use that server to both house their own custom video, photo, or music libraries, and stream those libraries on other devices. It’s a really handy tool if you want to, say, compile channels with your parent’s favourite shows, and then beam those shows directly to their smart TV.
Per Netscout, when a given device running a Plex Server boots up and connects to the internet, it will run what’s known as a Simple Service Discovery Protocol (or SSDP for short), in order to scan for nearby compatible devices that might want to access any of the juicy content it holds. In some cases when these servers are snooping via SSDP, they can inadvertently end up connecting to a user’s router — and if that router happens to be poorly configured, it can beam information about that SSDP connection onto the open web.
Things get pretty precarious here because SSDP connections, in general, can be pretty easily exploited by bad actors who want to beef up a given DDOS attack. You can read the full technical specs of how this amplification works over here, but in a nutshell: plug-and-play devices show up on a network and say a little something to introduce themselves (“Nice to meet you. I’m a wireless thermostat. Here’s are some neat tricks I can do.”) Normally the network and device get to know each other and things work out fine. This being a reflection attack though, some nefarious person can request loads of these devices to introduce themselves all at once to a given target, and instead of a pleasant meet-and-greet, the unfortunate recipient gets a deafening earful.
Netscout said that its analyses turned up roughly 27,000 Plex servers currently connected to the web that can be used for these sorts of exploits. In the past, the firm has seen these Plex-based attacks send out packets ranging from 52 to 281 bytes. That’s certainly not the biggest DDoS attack we’ve seen as of late, but when enough of these servers are leveraged in a single attack (or when these servers get exploited in conjunction with other pieces of insecure tech), you can see how that would be enough to do some serious damage.
The firm added that since November of last year, it’s noticed that these sorts of Plex-enabled attacks have been on the rise. But Plex certainly isn’t the only vector–back in 2020, the FBI actually issued an alert warning businesses that their network connections could be exploited to send these sorts of amplified attacks. Just last month, Netscout issued another warning that certain Windows servers could be used to do the same.
We’ve reached out to Plex for comment on the Netscout report, and will update here when we hear back.