The Living Room Has Become a Proxy Server

Your smart TV is probably on right now. It does not need you in front of it to be useful — at least not to the party that matters here. A reverse-engineering effort published June 5 by Include Security and independent researcher Buchodi documents how a software development kit built by Bright Data, embedded inside free consumer apps, converts everyday devices into exit nodes that relay web-scraping requests on behalf of paying customers. The traffic leaves through your home IP address, not the customer’s. Your connection carries the load; someone else pockets the fee.

Bright Data markets itself as the operator of the world’s largest residential proxy network, advertising more than 400 million residential IPs. A portion of that supply is described by the company as a consent-sourced pool exceeding 150 million IPs, drawn from devices where users agreed to share bandwidth through an opt-in screen inside a free app. The company is the successor to Luminati, which itself grew out of Hola VPN after Hola was caught in 2015 selling its free users’ bandwidth as exit nodes at $20 per gigabyte. The model has not changed in structure. What changed is the hardware running it and the industry writing the checks.

A connected television fits this arrangement almost too well.

What the SDK Actually Does

When an app containing the Bright Data SDK launches, the device contacts one of the company’s servers. That server issues instructions — which external pages to fetch, how often, on whose behalf — and the device’s home internet connection does the fetching. The researcher described the authentication on the channel that carries those scraping jobs as weaker than controls found in most malware. There are no standard identity checks confirming who is requesting the tasks. The server simply tells the device what to retrieve, and the device complies.

On iOS, the behavior goes further. The scraping traffic bypasses a configured VPN, meaning users who believe a VPN is masking or monitoring their device’s outbound connections are wrong — at least for traffic moving through this SDK’s peer tunnel. Much of what the SDK does also evades the monitoring tools security teams typically use to inspect app behavior. The device can continue relaying traffic in the background while a user is actively on the screen or on a call, provided battery levels remain above a low threshold.

The smart-TV angle in the research rests on three sources: Bright Data’s own published platform support documentation, its public partner list, and earlier reporting. That list includes companies that make smart-TV apps: PlayWorks Digital, CloudTV, and Longvision are named. Appearance on the list confirms only that the company worked with Bright Data at some point, not that a current, live version of their app ships the SDK today. Each application would require independent verification.

In one Roku app called Petflix, the opt-in disclosure told users the app would use their device and connection “occasionally.” The SDK configuration that loads after agreement allows up to 200 GB of traffic per month. In several countries, including Uzbekistan and Oman, the caps are set considerably higher and the device is permitted to continue operating until battery reserves are nearly exhausted. The gap between what the screen says and what the software is authorized to do is not subtle.

There is also a linking function. The SDK can associate a user’s phone with other computers running apps from the same company’s network, treating multiple devices as a single user profile for the purpose of routing traffic. Someone who installs two apps from different Bright Data partner developers may have connected their phone and laptop into a single proxy unit without knowing it.

Bright Data’s published partner list is public and accessible. The research team is explicit that inclusion on that list does not by itself establish that any specific app version contains the SDK at any specific moment.

Why AI Scraping Moved to Residential IPs

Anti-bot systems from Cloudflare, DataDome, and other vendors have made datacenter IP addresses increasingly unreliable for web scraping. Requests arriving from known cloud infrastructure get flagged and blocked. Requests arriving from a home IP address in a residential neighborhood are far harder to distinguish from ordinary browsing. For AI companies that need large volumes of training data or continuous web indexing, residential proxies solve a detection problem that datacenter routes cannot.

That demand is not hypothetical. In October 2025, Brian Krebs reported that proxy networks built on botnets — including one called Aisuru — were being used for large-scale AI data harvesting. In January, Google dismantled a criminal proxy operation called IPIDEA. Both of those networks worked by hijacking consumer devices without consent. Bright Data’s model differs in that it claims user agreement through its opt-in screens. That distinction — consent versus compromise — is the entire legal and ethical argument separating the two approaches.

Whether the consent is meaningful is a harder question than whether it exists.

What Makes Always-On Devices Particularly Useful

A smart TV running a free streaming app is close to an ideal proxy exit node by the numbers alone. It draws power continuously, connects over a broadband line rather than mobile data, operates on connections that are effectively unmetered in most U.S. households, and sits idle — from a compute perspective — for most of the hours it is plugged in. No user interaction is required once the app has launched. The device does not need to be in active use.

Mobile devices at least go to sleep and deplete batteries. Desktop computers get shut down. A television in a living room runs twenty-four hours, and nobody watches the network traffic leaving it.

The iOS SDK findings are the deepest technical evidence in the research. The extension of that evidence to smart TVs is supported by platform documentation and the partner list, but each app on connected TV platforms would need hands-on analysis to confirm current SDK presence. The researchers are careful about the distinction, and the write-up reflects it.

Hola VPN users in 2015 had a version of the same opt-in problem. The service was free, the bandwidth-sharing terms existed somewhere in the agreement, and most users had no idea their connection was being sold through Luminati at $20 a gigabyte. Bright Data, Luminati’s successor, has formalized that arrangement into a documented SDK with a published partner ecosystem and a consent screen. The infrastructure is more polished. The fundamental transaction — user bandwidth exchanged for free app access — is identical.

The consent screen in the Petflix Roku app said “occasionally.” The configuration file said 200 GB per month.

At $20 a gigabyte, the 2015 Luminati rate, 200 GB would have been worth $4,000 from a single device in a single month. Bright Data’s current pricing structure is different and not directly comparable, but the arithmetic illustrates the gap between what the disclosure says and what the authorization permits. The question of whether a user clicking through an opt-in screen in a free TV app meaningfully agreed to that arrangement is not one the consent screen answers.