Free Apps Turn Smart TVs into Web-Scraping Proxies for AI Data Collection

A security researcher has detailed how a widely-used iOS Software Development Kit (SDK), embedded by the data services company Bright Data, is covertly transforming smart TVs and other connected devices into proxy servers. These devices then act as exit nodes for web-scraping operations, funneling data for Bright Data's extensive residential proxy network, which is heavily marketed to the artificial intelligence (AI) industry.

Bright Data, the successor to Luminati Networks, operates what it claims is the world's largest residential proxy network, boasting over 400 million residential IP addresses. A significant portion of this network's capacity is derived from its SDK, which is distributed within free consumer applications. While users are presented with an opt-in screen, the SDK's functionality extends beyond what is typically disclosed, effectively turning user devices into infrastructure for large-scale data collection.

The core issue lies in the potential for user devices, particularly always-on smart TVs, to become unwitting participants in extensive web scraping. The research highlights that traffic routed through these devices originates from the user's home IP address, not the customer's. This practice poses a risk of consuming user bandwidth and potentially being associated with illicit scraping activities, even though the immediate threat is not direct account compromise or data theft.

Smart TVs are particularly attractive targets due to their typical setup: they are usually plugged in, connected to fast internet, have unmetered bandwidth, and are often left running unattended. The technical investigation, primarily focused on the iOS SDK, revealed that the communication channel used for scraping jobs lacks robust authentication. Furthermore, on iOS devices, this traffic can bypass configured VPNs, making it difficult to detect through standard security monitoring tools.

The consent mechanism provided by the SDK has been found to be misleading. For instance, in one observed Roku app, the opt-in screen suggested occasional use of the device and its connection. However, the SDK's settings allow for up to 200 GB of traffic per month. In certain regions, these limits are even higher, and the device can continue relaying data until its battery is nearly depleted. The SDK also has the capability to link a user's phone and computers running the same company's apps, treating them as a unified entity.

Bright Data publicly lists its app partners, which include developers of smart TV applications such as PlayWorks Digital, CloudTV, and Longvision. While inclusion on this list indicates a past partnership, it does not confirm the current presence of the SDK in their applications, necessitating individual verification. This model, while updated for the AI era, is not entirely new; it mirrors the practices of Luminati, which was previously criticized for selling user bandwidth through Hola VPN.

The demand for residential IPs has surged as AI companies require vast datasets for training models. Advanced anti-bot defenses from companies like Cloudflare and DataDome effectively block scrapers originating from data center IPs, pushing AI data harvesting operations to leverage residential connections. This has led to the dismantling of botnet proxy networks and increased reliance on services like Bright Data's, which claims a legitimate consent-based model.

To mitigate this risk, users can block specific web addresses used by the SDK at the router level, such as proxyjs.brdtnet.com and clientsdk.bright-sdk.com. Blocking these domains can prevent devices from acting as relays without impacting Bright Data's paid services. Companies managing employee devices can also scan for apps containing the SDK, though mobile traffic may bypass network-level blocks. The effectiveness of such blocks may vary as Bright Data could alter its SDK's connection methods in the future.