Free Apps Transform Smart TVs Into Web-Scraping Proxies for AI, Exposing Home Networks to Unchecked Traffic
A recent investigation has unveiled significant security implications surrounding the use of an iOS SDK embedded in consumer applications by Bright Data. This SDK has the capability to convert devices, including smart TVs, into exit nodes that relay web-scraping traffic, primarily aimed at serving the burgeoning AI industry.
Bright Data, the successor to Luminati, claims to operate the largest residential proxy network globally, boasting over 400 million residential IP addresses. A portion of this extensive network is sourced from the SDK, which is integrated into free applications that present users with an opt-in consent screen. This consent is marketed as a pool of over 150 million IPs.
The findings, published on June 5, reveal that the web-scraping activities originate from the user’s home IP address rather than the customer’s. This raises immediate concerns not about compromised accounts or stolen data, but about the unauthorized use of home internet connections and bandwidth as part of a third-party scraping infrastructure. Smart TVs, which are typically always connected, fast, and often unwatched, are particularly well-suited for this purpose.
Inside the Peer Tunnel
Upon launching the application, the SDK communicates with one of Bright Data’s servers, which provides instructions without verifying the identity of the requester. Consequently, the server can direct the device to retrieve web pages using the user’s home internet connection. The investigation found that the channel facilitating these scraping tasks lacks standard security checks, rendering it less secure than many malware systems.
On iOS devices, the traffic generated by this SDK can bypass configured VPNs, and much of the application’s activity remains undetected by conventional security monitoring tools. The device can continue relaying data in the background, even while the user is actively engaged with the screen or on a call, as long as the battery remains sufficiently charged.
The Consent Gap
The opt-in consent screen presented to users does not accurately reflect the SDK’s capabilities. For instance, in the Roku app Petflix, the consent screen states that the device and its connection would be utilized “occasionally.” However, the SDK settings permit up to 200 GB of traffic monthly, with even higher limits in certain countries like Uzbekistan and Oman. In these regions, the device can operate almost continuously, draining the battery in the process. Furthermore, the SDK can link a user’s phone and computers that run the same company’s applications, treating them as a single user.
Bright Data maintains a publicly accessible list of app partners, which includes developers of smart-TV applications such as PlayWorks Digital, CloudTV, and Longvision. It is important to note that inclusion on this list does not guarantee that the SDK is currently embedded in any specific app; each application must be evaluated individually.
An Old Model, Pulled by AI Demand
The underlying model is not new but has evolved in scale. Bright Data emerged from Luminati, a paid proxy service that originated from the Hola VPN. In 2015, Hola was found to be selling its users’ bandwidth as exit nodes through Luminati at a rate of $20 per gigabyte. This same model is now being applied to the always-on devices in living rooms.
The shift in demand has been driven by the need to circumvent anti-bot defenses employed by companies like Cloudflare and DataDome, which block scrapers originating from data center IPs. As a result, AI scrapers are increasingly relying on residential connections to conduct their activities.
Reports indicate that botnets, such as Aisuru, are now leveraging residential proxies for large-scale AI data harvesting. In January, Google dismantled the criminal IPIDEA proxy network, which had been hijacking consumer devices. Bright Data asserts that its exit nodes operate under user consent, raising questions about the validity and significance of that consent.
The smart-TV angle was first highlighted in February, and subsequent technical analyses have revealed the extent of the issue. Major companies like Google, Amazon, and Roku have since restricted background proxy SDKs, leading Bright Data to withdraw from these platforms while still supporting others like Samsung’s Tizen and LG’s webOS.
What to Do
Identifying and blocking this traffic is feasible. Home network users can take proactive steps by blocking the web addresses utilized by the SDK through router-level tools such as Pi-hole or NextDNS. Key addresses to block include proxyjs.brdtnet.com, proxyjs.luminatinet.com, proxyjs.bright-sdk.com, clientsdk.bright-sdk.com, and clientsdk.brdtnet.com. Blocking these addresses can prevent the device from functioning as a relay without disrupting Bright Data’s paid services, which operate on separate addresses.
Organizations managing employee devices should also conduct scans for applications that may contain the SDK. However, it is essential to note that on mobile networks, this traffic can bypass office Wi-Fi, making network-level blocks insufficient in some cases. Bright Data may also alter how the SDK connects in the future, necessitating updates to any blocklists.
For further insights into this developing story, refer to the original reporting source: thehackernews.com.
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
