A security researcher has taken apart the iOS software development kit (SDK) that Bright Data builds into everyday consumer apps, revealing how it transforms devices—including smart TVs that stay powered on around the clock—into exit nodes that funnel web-scraping traffic for a data-harvesting operation Bright Data aggressively promotes to the artificial-intelligence sector.
The firm, which evolved from the earlier company Luminati, runs what it advertises as the planet’s largest residential proxy network, boasting more than 400 million residential IP addresses. A portion of that pool is fed by this SDK, which ships inside free applications behind a permission prompt and is described by the company as a consent-based collection of over 150 million IPs.
The findings, released on June 5 by Include Security and independent researcher Buchodi, are significant because the scraping activity originates from the user’s own home IP address rather than the customer’s. The immediate danger isn’t a compromised account or stolen personal information—it’s that a household’s internet connection and its available bandwidth get co-opted as someone else’s data-gathering infrastructure.
A connected television is nearly perfect for this purpose: it’s almost always plugged into power, sits on a fast connection, faces no meaningful data caps, and often goes unwatched for long stretches.
The strongest technical evidence comes from the iOS SDK analysis; the smart-TV dimension is supported by Bright Data’s stated platform compatibility, its publicly available partner roster, and prior investigative reporting. The research uncovered that the peer-to-peer channel carrying scraping tasks lacks any meaningful authentication, and on iOS, its traffic circumvents an active VPN connection.
Inside the peer tunnel
When the app launches, the SDK reaches out to one of Bright Data’s servers, which delivers its instructions without genuinely verifying the requester’s identity. From that point forward, the server can direct the device to retrieve pages from other websites, routing the requests through the user’s home internet connection.
The researcher determined that the channel ferrying those tasks is missing the standard security safeguards, describing its protections as weaker than those found in most malicious software.
On iPhones, the researcher observed that this traffic slips past a VPN tunnel, and that much of the SDK’s activity remains invisible to the monitoring tools that security teams typically rely on to inspect app behavior. The device can also continue relaying traffic in the background while the user is actively watching content or on a phone call, provided the battery isn’t critically low.
The consent gap
The permission prompt doesn’t accurately reflect what the SDK is actually capable of doing. In one Roku application called Petflix, the screen stated it would use the device and its connection “occasionally.”
The configuration the SDK loads permits as much as 200 gigabytes of traffic per month. In a handful of countries, including Uzbekistan and Oman, the thresholds are set considerably higher, and the device is authorized to keep operating until the battery is nearly depleted. The SDK can also link a person’s phone and computers running the same company’s apps, treating them as a single user.
Bright Data maintains a publicly accessible page listing its app partners, and it includes developers of smart-TV applications such as PlayWorks Digital, CloudTV, and Longvision. The researcher is careful to clarify that appearing on the list only indicates a company collaborated with Bright Data at some point—it doesn’t confirm that its current app contains the SDK. Each application would need to be individually examined.
An old model, pulled by AI demand
The underlying approach isn’t novel—only its scale is. Bright Data is the successor to Luminati, the paid proxy service that originated from Hola VPN. In 2015, Hola was exposed for selling its free users’ bandwidth as exit nodes through Luminati at a rate of $20 per gigabyte. That same business model now runs on the always-on device sitting in the living room.
What has shifted is the customer base. Anti-bot protections from companies like Cloudflare, DataDome, and others block scrapers originating from datacenter IP addresses, so AI-driven scrapers instead route their traffic through residential connections.
Krebs reported in October 2025 that proxies from botnets such as Aisuru are powering large-scale AI data harvesting, and Google took down the criminal IPIDEA proxy network in January. Those operations seize control of consumer devices without permission; Bright Data maintains that its exit nodes opt in through a consent screen. That consent is the dividing line between the two approaches, and whether it constitutes meaningful, informed permission is the unresolved question.
Lowpass, syndicated by The Verge, first brought the smart-TV angle to light in February, and this latest work provides the detailed technical breakdown. Google, Amazon, and Roku have since imposed restrictions on background proxy SDKs, and Bright Data withdrew from those platforms, though it still lists Samsung’s Tizen and LG’s webOS among its supported environments.
What to do
The traffic is straightforward to identify and block. On a home network, the simplest measure is to block the domain names the SDK uses to establish its connections, using a router-level filtering tool such as Pi-hole or NextDNS.
The primary domains are proxyjs.brdtnet.com, proxyjs.luminatinet.com, proxyjs.bright-sdk.com, clientsdk.bright-sdk.com, and clientsdk.brdtnet.com. According to the research, blocking these prevents the device from functioning as a relay without disrupting Bright Data’s paid service, which operates on separate addresses.
Organizations that manage employee phones can also scan for applications that embed the SDK. One caveat: on a cellular connection, the traffic bypasses corporate Wi-Fi entirely, so a network-level block alone won’t always catch it. Bright Data could also alter how the SDK connects in the future, which would require any blocklist to be updated accordingly.
