Plex Media may be best known as the streaming service that is suitable for creating custom TV channels, but it turns out that they serve can be abused for more sinister purposes. Thursday the cybersecurity company Netscout reported that the same custom servers used to host these channels are also used to increase the denial of service (aka DDoS) attack – all without Plex’s customers knowing.
One of Plex’s most important selling points is that customers are able to set up their own Plex server on a variety of devices, and then use the server to house their own custom video, photo, or music libraries, and stream those libraries on other devices. It is a very useful tool if you want to compile channels with your parents’ favorite programs, and then transfer these shows directly to your smart TV.
Per Netscout, when a given device running a Plex Server starts up and connects to the Internet, it will run what is called a Simple Service Discovery Protocol (or SSDP too short) to scan for compatible devices nearby that might have access to some of the juicy content it contains. In some cases when these servers sneak in via SSDP, they may inadvertently end up connecting to the user’s router – and if that router happens to be poorly configured, it can transmit information about that SSDP connection to the open network.
Things get pretty precarious here because SSDP connections in general can be quite easily utilized of bad actors who want to amplify a given DDOS attack. You can read the complete technical specifications for how this reinforcement works over here, but in a nutshell: plug-and-play devices pop up on a network and say something to introduce themselves (“Nice to meet you. I’m a wireless thermostat. Here are some nice tricks I can do.”) Normally network and device get to know each other and things work out well. However, this is a reflection attack, but some scary people may ask for lots of these devices to introduce themselves at once for a given goal, and instead of a pleasant meet-and-greet, the unfortunate recipient gets a deafening ear.
Netscout said that the analyzes showed approximately 27,000 Plex servers that are currently connected to the network and that can be used for this type of business. In the past, the company has seen these Plex-based attacks send out packets ranging from 52 to 281 bytes. It certainly is not the largest DDoS attack we have seen too late but when enough of these servers is exploited in a single attack (or when these servers are exploited in connection with other parts of uncertain technology), You can see how that would be enough to do serious harm.
The company added that since November last year, it was noticed that such Plex-enabled attacks have increased. But Plex is certainly not the only vector – back in 2020, the FBI actually issued a warning warning companies that their network connections could be exploited to send such amplified attacks. Just last month, Netscout issued yet another warning that certain Windows servers can be used to do the same.
We have contacted Plex to comment on the Netscout report, and will update here when we hear back.