Scanning for mobile devices running Netflix
Written 2016-12-06
Tags:API Netflix REST Mongoose
Strange Port You Have Open There
Recently, I found that my television had a new TCP port open - 9080. When I closed the Netflix application, the port closed too. Netflix uses port 9080 to host a few APIs, presumably for mobile remote control or some other local-network-interfaced application. Interestingly, Netflix on Android also listens on port 9080. On both devices, the server does not respond with much except the string status=ok. NMAP service detection correctly guesses it to be a Mongoose Server, a commonly embedded http server. As an embedded http server, it is non-trivial to guess URIs, as the URIs point to snippets of code inside the application rather than static files. But, guessing /ping as a URI returns PONG. I suspect there are more functional URIs, but even a simple response is enough for some work.
Shame If Anything...Happened To It
Oddly, Netflix listens to port 9080 on all network interfaces. By using two devices on the same cellular network, one can check if the other is running Netflix by checking for an open port 9080, like so:
rsaxvc@x220:~/code/rsaxvc.net.blagr/input/posts/Hacking$ nmap 10.186.111.239 -p 9080
Starting Nmap 7.31 ( https://nmap.org ) at 2017-01-01 21:04 CST
Nmap scan report for mobile.rsaxvc.net (10.186.111.239)
Host is up (0.17s latency).
PORT STATE SERVICE
9080/tcp open glrpc
Nmap done: 1 IP address (1 host up) scanned in 0.30 seconds
rsaxvc@x220:~/code/rsaxvc.net.blagr/input/posts/Hacking$
By replacing the IP address with a range corresponding to a cellular network, it becomes quite simple to scan for users running Netflix.
Remediation Timeline
- December 7th, 2016 - Issue initially reported to the Netflix responsible disclosure program.
- December 23rd, 2016 - Completed documentation and proposed solution.
- December 27th, 2016 - Netflix confirmed issue.
- April 2017 - Netflix fixed issue by only listening on local networks.