A researcher has reverse-engineered the iOS SDK that Bright Data embeds in consumer apps and documented how, with the user's consent, it can turn devices, including always-on smart TVs, into exit nodes that relay web-scraping traffic for a data business Bright Data markets heavily to the AI industry.
The company, the successor to Luminati, operates what it calls the largest residential proxy network in the world, advertised at more than 400 million residential IPs. Part of that supply comes from this SDK, shipped inside free apps behind an opt-in screen and described by Bright Data as a consent-sourced pool of 150 million-plus IPs.
The findings, published June 5 by Include Security and independent researcher Buchodi, matter because the scraping comes from the user's home IP, not the customer's. The immediate risk is not a hacked account or stolen data; it is that a home connection and its bandwidth get used as someone else's scraping infrastructure.
A connected TV is close to ideal for that: usually plugged in, on a fast connection, effectively unmetered, and unwatched.
The deepest technical evidence is from the iOS SDK; the smart-TV reach rests on Bright Data's platform support, its public partner list, and earlier reporting. The research found the peer channel that carries scraping jobs has no real authentication, and that on iOS, its traffic bypasses a configured VPN, which Bright Data says is an unintended bug it is fixing.
Inside the peer tunnel
When the app opens, the research found, the SDK fetches its instructions from a server that checks only the app's public ID and version, which means the same configuration can be pulled by anyone. From there, the server can direct the device to fetch pages from other websites, using the user's home internet connection to do it.
The research found that the channel that carries those jobs has none of the usual security checks on who connects.
On iPhones, the research found that this traffic slips past a configured VPN, and that the SDK is built in a way that keeps part of its activity out of view of some standard tools used to monitor apps. Bright Data says the VPN behavior is an unintended bug rather than a deliberate attempt to hide the SDK, that VPN traffic holds no value for its network, and that it is updating the software to detect an active VPN and stop routing around it.
The research also found the device can keep relaying in the background while someone is watching the screen or on a call, as long as the battery is not low.
The consent gap
The research highlights a gap between how the opt-in screen describes the SDK and what its configuration permits. In Petflix, a Roku app, the screen tells users that Bright Data will "occasionally" use the device's free resources and IP address, and that no personal information is collected except the IP address.
The SDK's configuration, the research found, sets a maximum of 200 GB of Wi-Fi traffic a month. (Petflix runs on Roku, which Bright Data says it no longer supports; the wording is set by the SDK, not the platform.)
The research also found that in a few countries, including Uzbekistan and Oman, the configuration set far higher limits, with devices cleared to keep relaying almost until the battery ran flat. Bright Data says those were temporary legacy rules it has since removed.
The research found Bright Data exposes its list of app partners on a page anyone can open, naming makers of smart-TV apps such as PlayWorks Digital, CloudTV, and Longvision. The researcher is careful to note that being on the list only shows a company worked with Bright Data at some point, not that its app includes the SDK today. Each one would need to be checked on its own.
Bright Data disputes the characterization. In an email to The Hacker News, the company said its opt-in screen is explicit rather than buried in legal text, names Bright Data, links its privacy policy and license, and lets users opt out in two steps and keep using the app either way. It says the SDK reaches only approved domains, collects no personal data or browsing history, uses only the device's IP address, and runs on average around 50 MB a day on Wi-Fi, pausing when the device is busy or low on battery.
The company's CEO, Or Lenchner, said a device in its network "is a device whose owner said yes, understood what they were saying yes to, and can say no again at any moment with two steps." Bright Data also points to independent audits and certifications, including a PwC report, AppEsteem certification, and ISO and SOC 2 attestations, published in its Trust Center.
An old model, pulled by AI demand
None of this is new in shape, only in scale. Bright Data is the successor to Luminati, the paid proxy service that grew out of Hola VPN. In 2015, Hola was caught selling its free users' bandwidth as exit nodes through Luminati, at $20 a gigabyte.
The same business model now runs on the always-on box in the living room, though Bright Data says today's SDK is opt-in and independently audited in ways the 2015 setup was not.
What changed is the buyer. Anti-bot defenses from Cloudflare, DataDome, and others block scrapers coming from datacenter IPs, so AI scrapers route through residential connections instead.
Krebs reported in October 2025 that proxies from botnets like Aisuru are fueling large-scale AI data harvesting, and Google dismantled the criminal IPIDEA proxy network in January. Those operations hijack consumer devices; Bright Data says its exit nodes opt in through a consent screen. That consent is the line between the two, and whether it is meaningful is an open question.
Lowpass, syndicated by The Verge, first surfaced the smart-TV angle in February, and this is the technical teardown. Google, Amazon, and Roku have since restricted background proxy SDKs, and Bright Data dropped those platforms, though it still lists Samsung's Tizen and LG's webOS.
What to do
The traffic is easy to spot and block. On a home network, the simplest step is to block the web addresses the SDK uses to connect, with a router-level tool like Pi-hole or NextDNS.
The main ones are proxyjs.brdtnet.com, proxyjs.luminatinet.com, proxyjs.bright-sdk.com, clientsdk.bright-sdk.com, and clientsdk.brdtnet.com. According to the research, blocking these stops the device from acting as a relay without affecting Bright Data's paid service, which runs on separate addresses.
Companies that manage staff phones can also scan for apps that carry the SDK. One catch: on a mobile connection, the traffic sidesteps office Wi-Fi, so a network block alone will not always catch it. Bright Data could also change how the SDK connects in the future, which would mean any blocklist needs updating.
Updated on June 9 and June 16, 2026, to include Bright Data's response and a comment from its CEO, and to reflect later revisions to the source research.
