Plex Media could be known as the right streaming service for creation custom TV channels, but it turns out that those servers it can be mistreated for more nefarious purposes. Thursday, cybersecurity firm Netscout reported that the same custom servers that are used to host these channels are also used to reinforce denial of service attacks (also known as DDoS), all without Plex clients knowing.
One of the main selling points of Plex is that its customers can set up their own Plex server on a large number of different devices, and then use this server to host your own custom video, photo, or music libraries and stream these libraries to other devices. It is a very useful tool if you want, for example, to compile channels with your parents’ favorite programs and then stream them directly to your smart TV.
According to Netscout, when a particular device running a Plex server boots and connects to the Internet, it will run what is known as a simple service discovery protocol (or SSDP , to search for nearby compatible devices that want to access any juicy content it contains. In some cases, when these servers are displayed over SSDP, they may end up offline by connecting to a user’s router, and if that router is misconfigured, can transmit information about this SSDP connection to the open web.
Things get beautiful precarious here because SSDP connections, in general, can be quite easily exploitable for bad actors who want to reinforce a certain DDOS attack. You can read the full technical specifications of how this amplification works this way, but in a nutshell: plug-and-play devices appear on the network and say something to introduce themselves (“I like meeting you. I’m a wireless thermostat. Here are some tricks I can do.”) the network and device are known and things work fine. Although it is a reflection attack, some nefarious people may request a lot of these devices to be introduced at the same time to a certain goal and, instead of a pleasant encounter, the unfortunate recipient gets a deafness. .
Netscout said its analytics generated approximately 27,000 Plex servers currently connected to the web that can be used for such exploits. In the past, the firm has seen these Plex-based attacks send packets ranging from 52 to 281 bytes.. This is not true the biggest DDoS attack we’ve seen it recently, but when these servers are enough are leveraged in a single attack (or when these servers are exploited along with other pieces of insecure technology), you can see how it would be enough to do serious damage.
G / O Media may receive a commission
The firm added that since November last year it has been noticed that such Plex-enabled attacks have been on the rise. But certainly, Plex isn’t the only vector: in 2020, it actually aired the FBI an alert warning companies that their network connections could be exploited to send such amplified attacks. Just last month, Netscout released another warning that some Windows servers could be used to do the same.
We’ve contacted Plex to comment on the Netscout report and we’ll update here when we hear about it.