Bright Data SDK Quietly Turns Smart TVs Into AI Scraping Proxies

A reverse-engineering analysis published June 5 by Include Security and independent researcher Buchodi has exposed how Bright Data, the successor to Luminati and operator of what it calls the world's largest residential proxy network with over 400 million residential IPs, embeds an SDK inside free consumer apps to convert end-user devices into exit nodes for AI-driven web scraping. The research documents a consent-sourced pool of more than 150 million IPs drawn from devices that include always-on smart TVs, where the traffic appears to originate from the user's home connection rather than the scraping customer's infrastructure. Bright Data markets this capability heavily to the AI industry, positioning it as ethically sourced residential bandwidth, though the technical findings raise serious questions about that framing.

The deepest technical evidence comes from the iOS SDK, which the researcher found uses a peer channel with no real authentication, a control posture weaker than what most commodity malware employs. On iPhones, this scraping traffic bypasses configured VPNs, making it effectively invisible to standard network monitoring tools. A user can browse, watch video, or take a call while the device relays traffic in the background, provided the battery remains above a low threshold. The peer channel that carries scraping jobs also allows the SDK to correlate a single user's phone, tablet, and computers that run any partner app, effectively treating the household as a single scraping asset that can be cross-referenced using a browser fingerprint test methodology.

The gap between consent and behavior is stark. In a Roku app called Petflix, the opt-in screen told users their device and connection would be used "occasionally," yet the SDK's loaded settings permit up to 200 GB of traffic per month. In select countries including Uzbekistan and Oman, those limits are set even higher, with the device cleared to run until the battery is nearly depleted. Bright Data's public partner list includes smart-TV app makers such as PlayWorks Digital, CloudTV, and Longvision, though the researcher cautions that inclusion on the list only confirms a past business relationship, not necessarily that any current app still ships the SDK. Users who want to check whether their own home connection is being silently routed can run a VPN and proxy detector to see if their IP appears in known residential proxy pools, and a DNS leak test to confirm whether their traffic is actually being tunneled through their configured VPN as expected.

The immediate risk is not a compromised account or stolen credentials; it is the silent consumption of household bandwidth and the reputational and legal exposure that comes from a user's IP being used to scrape third-party websites on someone else's behalf. For organizations whose abuse teams rely on IP reputation to block scraping, the Bright Data network further blurs the line between legitimate residential traffic and automated data collection, making it harder to distinguish a real customer from a relayed proxy request sourced from an unwatched smart TV in a stranger's living room.