Scanning for mobile devices running Netflix

Written 2016-12-06

Tags:API Netflix REST Mongoose 

Strange Port You Have Open There

Recently, I found that my television had a new TCP port open - 9080. When I closed the Netflix application, the port closed too. Netflix uses port 9080 to host a few APIs, presumably for mobile remote control or some other local-network-interfaced application. Interestingly, Netflix on Android also listens on port 9080. On both devices, the server does not respond with much except the string status=ok. NMAP service detection correctly guesses it to be a Mongoose Server, a commonly embedded http server. As an embedded http server, it is non-trivial to guess URIs, as the URIs point to snippets of code inside the application rather than static files. But, guessing /ping as a URI returns PONG. I suspect there are more functional URIs, but even a simple response is enough for some work.

Shame If Anything...Happened To It

Oddly, Netflix listens to port 9080 on all network interfaces. By using two devices on the same cellular network, one can check if the other is running Netflix by checking for an open port 9080, like so:

rsaxvc@x220:~/code/rsaxvc.net.blagr/input/posts/Hacking$ nmap 10.186.111.239 -p 9080

Starting Nmap 7.31 ( https://nmap.org ) at 2017-01-01 21:04 CST
Nmap scan report for mobile.rsaxvc.net (10.186.111.239)
Host is up (0.17s latency).
PORT STATE SERVICE
9080/tcp open glrpc

Nmap done: 1 IP address (1 host up) scanned in 0.30 seconds
rsaxvc@x220:~/code/rsaxvc.net.blagr/input/posts/Hacking$

By replacing the IP address with a range corresponding to a cellular network, it becomes quite simple to scan for users running Netflix.

Remediation Timeline

Netflix handled it professionally, remediating it even though it is a very small privacy leak. It was a pleasure working with them.