Free Apps Are Quietly Turning Smart TVs Into Surveillance Machines

A security researcher has revealed that Bright Data, formerly known as Luminati, embeds code in free consumer apps that turns user devices including iPhones and smart TVs into web scraping proxies. The company claims to operate the world's largest residential proxy network with over 400 million IP addresses, with more than 150 million coming from these embedded software development kits placed in apps with user consent. The problem is particularly severe with smart TVs because they remain constantly powered on, connected to fast internet, and are rarely monitored for suspicious activity.

The technical analysis published by Include Security and researcher Buchodi on June 5 exposed serious security weaknesses in how this system operates. The code connects to Bright Data servers without proper authentication and receives instructions to scrape websites using the consumer's home internet connection. On iPhones, this traffic deliberately bypasses any configured VPN, making it invisible to standard security monitoring tools. The communication channel lacks basic security measures, and devices can continue transmitting data in the background during calls or regular use as long as battery levels remain sufficient. The consent screens shown to users grossly misrepresent the actual behavior, with one example claiming the service would only use the device occasionally when settings actually permit up to 200 gigabytes of monthly traffic.

This practice is not entirely new, as Bright Data emerged from the controversial Hola VPN service that was exposed in 2015 for selling user bandwidth through its Luminati proxy service at twenty dollars per gigabyte. What has changed is the scale and demand, driven primarily by AI companies that need residential IP addresses to bypass anti-bot protections from services like Cloudflare and DataDome. While illegal botnet operations like Aisuru and IPIDEA have been shut down for similar activities without consent, Bright Data operates in a legal gray area by obtaining user agreement through vague terms buried in app permissions. Major platforms including Google, Amazon, and Roku have since restricted background proxy SDKs, forcing Bright Data to discontinue support for those platforms, though Samsung Tizen and LG webOS reportedly remain supported.

Users can protect themselves by blocking the specific domains used by this code at the router level using tools like Pi-hole or NextDNS. The primary domains to block include proxyjs.brdtnet.com, proxyjs.luminatinet.com, proxyjs.bright-sdk.com, clientsdk.bright-sdk.com, and clientsdk.brdtnet.com. According to the research, blocking these addresses prevents devices from functioning as proxies without interfering with Bright Data's legitimate paid services. However, companies managing employee devices face additional challenges since this traffic can bypass office networks by using mobile data connections, and Bright Data could modify its connection methods in the future, requiring ongoing vigilance and blocklist updates.

Stay secure — stay Wavasec. 🔐