Plex Media may be better known as the right streaming service to create custom TV channels, but it turns out that those servers it can be abused for more damaging purposes. On Thursday, cybersecurity company Netscout reported that the same custom servers used to host these channels are also being used to reinforce denial of service attacks (also known as DDoS) – all without Plex customers knowing.
One of Plex’s main selling points is that its customers can create their own Plex Server on a bunch of different devices, and then use that server to store your own custom video, photo or music libraries and stream those libraries to other devices. It is a very useful tool if you want to, say, compile channels with your parents’ favorite shows and then broadcast those shows directly to the smart TV.
According to Netscout, when a particular device running a Plex Server boots and connects to the Internet, it runs what is known as the Simple Service Discovery Protocol (or SSDP for short) to look for nearby compatible devices that might want to access any juicy content it contains. In some cases, when these servers are spying via SSDP, they may inadvertently end up connecting to a user’s router – and if that router is badly configured, it can transmit information about that SSDP connection to the open web.
Things get pretty precarious here because SSDP connections in general can be easily explored by malefactors who want to reinforce a particular DDOS attack. You can read the complete technical specifications of how this amplification works over here, but in a nutshell: Plug-and-play devices appear on a network and say something to introduce themselves (“Nice to meet you. I’m a wireless thermostat. Here are some cool tricks I can do.”) the network and the device know each other and things work well. However, as this is a reflection attack, some nefarious person may request many of these devices to present themselves all at once to a certain target, and instead of a pleasant meeting and greeting, the unfortunate recipient receives a deafening ear.
Netscout said its analysis revealed about 27,000 Plex servers currently connected to the web that can be used for this type of exploitation. In the past, the company has seen these Plex-based attacks send packets from 52 to 281 bytes. Certainly not the biggest DDoS attack we’ve seen lately, but when these servers arrive are harnessed in a single attack (or when these servers are exploited in conjunction with other parts of insecure technology), you can see how that would be enough to do serious damage.
G / O Media can receive a commission
The company added that since November last year, these types of Plex-enabled attacks have been perceived to be on the rise. But Plex is certainly not the only vector – in 2020, the FBI actually issued an alert alerting companies that their network connections can be exploited to send these types of amplified attacks. Last month, Netscout issued another warning that certain Windows servers can be used to do the same.
We contacted Plex to comment on the Netscout report and will update here when we have a response.