A researcher has reverse-engineered the iOS SDK that Bright Data embeds into consumer apps and documented how it turns devices, including always-on smart TVs, into exit nodes that relay web-scraping traffic to data businesses Bright Data heavily markets to the AI industry.
The company, a successor to Luminati, operates what it calls the world’s largest residential proxy network, advertising over 400 million residential IPs. Part of that supply comes from this SDK, which is shipped inside free apps behind opt-in screens and is described as a consensus-sourced pool of over 150 million IPs.
The findings, published June 5 by Include Security and independent researcher Buchody, matter because the scraping comes from the user’s home IP, not the customer’s. The immediate risk is not a hacked account or stolen data; That is, a home connection and its bandwidth is used as someone else’s scraping infrastructure.
A connected TV is close to ideal for this: usually plugged in over a fast connection, effectively unmetered and unwatched.
The deepest technical evidence is from the iOS SDK; Smart-TV reach hinges on Bright Data’s platform support, its public partner list and earlier reporting. The research found that the peer channel providing the scraping job has no real authentication, and on iOS, its traffic bypasses the configured VPN.
inside the peer tunnel
When the app opens, the SDK contacts one of Bright Data’s servers, handing over its instructions without actually checking who’s asking. From then on, the server can ask the device to fetch pages from other websites using the user’s home Internet connection.
The researcher found that the channel that carries those jobs does not have the usual security checks, and described it as weaker than the controls built into most malware.
On iPhones, the researchers found that this traffic goes past the VPN, and whatever the app does doesn’t show up in the tools that security teams typically use to monitor apps. The device can keep relaying in the background even when someone is looking at the screen or making a call, until the battery is low.
margin of agreement
The opt-in screen doesn’t match what the SDK actually allows. In Petflix, a Roku app, Screen said she would use the device and its connection “sometimes.”
The settings loaded by the SDK allow up to 200 GB of traffic per month. In some countries, including Uzbekistan and Oman, the limits are set much higher, and the device is allowed to operate until the battery is depleted. The SDK can link a person’s phone and computers running the same company’s apps together, treating them as one user.
Bright Data publishes a list of its app partners on a page that anyone can open, and it includes makers of smart-TV apps like Playworks Digital, CloudTV, and LongVision. The researchers are careful to note that being on the list only shows that a company worked with Bright Data at some point, not that its apps include the SDK today. Each will need to check for themselves.
An old model pulled by AI demand
None of this is new in size, only in scale. Bright Data is the successor to Luminati, the paid proxy service that evolved from Hola VPN. In 2015 Hola was caught selling its free users’ bandwidth as exit nodes at $20 per gigabyte through Luminati. The same model now runs on an always-on box in the living room.
What has changed is the buyer. Anti-bot protections from Cloudflare, Datadome, and others block scrapers coming from datacenter IPs, so AI scrapers route through residential connections.
Krebs reported in October 2025 that proxies from botnets like Aisuru were facilitating large-scale AI data harvesting, and Google dismantled the criminal IPIDEA proxy network in January. Those operations hijack consumer devices; Bright Data says its exit nodes opt in through a consent screen. That consensus is a line between the two, and whether it’s worthwhile is an open question.
Lowpass, syndicated by The Verge, first revealed the smart-TV angle in February, and it’s a technical glitch. Google, Amazon, and Roku have since banned background proxy SDKs, and Bright Data has removed those platforms, although it still lists Samsung’s Tizen and LG’s webOS.
What to do
It is easy to identify and stop traffic. On a home network, the easiest step is to block the web addresses that the SDK uses to connect with a router-level tool like Pi-Hole or NextDNS.
Prominent among these are proxyjs.brdtnet.com, proxyjs.luminatinet.com, proxyjs.bright-sdk.com, clientsdk.bright-sdk.com, and clientsdk.brdtnet.com. According to the research, blocking these prevents the device from acting as a relay without affecting Bright Data’s paid service, which runs at different addresses.
Companies that manage staff phones can also scan apps that contain the SDK. One catch: On mobile connections, traffic bypasses office Wi-Fi, so network blocks alone won’t always catch it. Bright Data may also change the way the SDKs connect in the future, which would mean any blocklists would need to be updated.
