Plex Media is perhaps best known as the streaming service suitable for creating custom TV channels, but it turns out that servers can be misused for more nefarious purposes. The cybersecurity company Netscout arrived on Thursday reported that the same custom servers used to host these channels are also used to amplify denial of service (aka DDoS) attacks – all without the knowledge of Plex’s customers.
One of Plex’s main selling points is that its clients can set up their own Plex server on a wide variety of devices, and then use that server to host their own custom video, photo, or music libraries as well as stream those libraries on other devices. It’s a very useful tool if, for example, you want to curate channels with your parents’ favorite shows and then stream those shows straight to their smart TV.
Per Netscout, when a particular device boots up with a Plex Server and connects to the Internet, it will launch what’s called a Simple Service Discovery Protocol (or SSDP in short), to scan for nearby compatible devices that might want to access the juicy content inside. In some cases when these servers are sniffing through SSDP, they can inadvertently connect to a user’s router, and if that router happens to poorly configured, it can send information about that SSDP connection to the open web.
It will be beautiful precarious here because SSDP connections can be in general exploited quite easily by bad actors who want to amplify a certain DDOS attack. You can read the full technical specifications of how this amplification works here, but in a nutshell: plug-and-play devices appear on a network and say something to introduce themselves (“Nice to meet you. I’m a wireless thermostat. Here are some neat tricks I can do.”) network and device get to know each other and it runs fine. However, since this is a reflection attack, a nefarious person can ask loads of these devices to introduce themselves to a particular target all at once, and instead of a pleasant meet-and-greet, the unlucky recipient gets a deafening ear.
Netscout said his analytics revealed about 27,000 Plex servers currently connected to the web that can be used for these types of exploits. In the past, the company has seen these Plex-based attacks broadcast packets of 52 to 281 bytes. That is definitely not the largest DDoS attack we have seen as of late, but as enough of these servers used in a single attack (or when these servers are exploited in conjunction with other parts of insecure tech), you can see how that would be enough to do serious damage.
G / O Media can receive a commission
The company added that it has been noticed since November last year that these types of attacks involving Plex are on the rise. But Plex is by no means the only vector – the FBI actually issued in 2020 a warning companies warn that their network connections could be exploited to send these types of amplified attacks. Last month, Netscout released one more warning that certain Windows servers can be used to do the same.
We’ve reached out to Plex for comment on the Netscout report and will update here when we hear back.