The Hidden Proxy Network: How Smart TVs are Being Recruited into Residential IP Pools

A recent technical deep dive has revealed a sophisticated method by which “free” applications on major Connected TV (CTV) platforms—including Samsung, LG, and Roku—are effectively converting living room hardware into nodes for a global residential proxy network. According to an investigation published by Include Security researcher Buchodi, these devices are being leveraged to facilitate high-volume AI web-scraping traffic, often bypassing standard network security inspections.

At the center of this architecture is an embedded Software Development Kit (SDK) provided by Bright Data. While the SDK is integrated into partner apps under the pretext of a “free content” exchange, its actual function is to transform always-on smart TVs into exit nodes for paying customers. This allows third parties to route traffic through legitimate residential IP addresses, making automated scraping behavior appear as organic user activity.

The Discrepancy in User Consent

Bright Data markets a massive pool of over 150 million residential IP addresses, claiming they are sourced through “consent-based” SDKs. However, the technical reality often contradicts the user-facing interface. For instance, The Verge highlighted the Roku app “Petflix,” which presents users with an opt-in dialog stating that the app will “occasionally” use device resources to download public web data.

Technical analysis of the SDK’s unauthenticated configuration endpoint tells a different story. The configuration file sets a default monthly WiFi bandwidth budget of 200 GB—a figure that vastly exceeds the “occasional” usage described to the consumer. Because the configuration endpoint lacks authentication, researchers can easily query the full partner manifest, which includes idle-detection thresholds, per-country bandwidth tiers, and various feature flags simply by providing an app bundle ID.

Why Smart TVs are the Perfect Proxy Nodes

The CTV ecosystem offers a unique set of advantages for the residential proxy economy that mobile devices do not. While smartphones are constrained by battery life, frequent movement between cellular and WiFi networks, and active user monitoring, smart TVs are:

• Permanently Powered: They are rarely disconnected from a power source.
• Always Connected: They maintain high-speed, stable WiFi connections.
• Unattended: They often remain idle for long periods without user intervention.
• Under-Monitored: Unlike mobile devices, which are often protected by Mobile Device Management (MDM) or endpoint detection tools, smart TVs typically lack corporate or rigorous household security oversight.

The SDK’s logic is optimized to exploit these traits. By setting parameters such as ignore_screen_on: true and ignore_on_call: true, the SDK ensures that the device remains eligible to relay third-party traffic even while the user is actively watching content, provided that CPU utilization remains below 70% and memory usage stays under 90%.

The Ecosystem of Partners

The Bright Data partner manifest reveals a massive footprint across the CTV landscape. Key entities involved in the distribution of this SDK include:

• PlayWorks Digital Ltd: Operates over 400 CTV game titles with a reach of approximately 250 million homes via providers like Comcast, Sky, Cox, Vizio, and Roku.
• CloudTV: Integrated across more than 125 TV brands and 15 different OEMs.
• Longvision Media HK (LongTV): Serves 5 million OTT users in Hong Kong and Malaysia.
• Viber Media (Rakuten): A massive player with up to 820 million monthly users.

Technical Evasion and Network Detection

From a networking perspective, the SDK is designed to be highly resilient against detection. Upon launch, the SDK establishes a persistent WebSocket connection to proxyjs.brdtnet.com:443, which resolves to AWS Global Accelerator IPs. Interestingly, the TLS certificate presented (CN=*.luminatinet.com) traces back to Luminati Networks, the former corporate name of Bright Data, providing a reliable signature for network defenders.

The protocol itself is relatively lightweight, utilizing plain JSON frames without the use of message signing, HMAC, or device attestation—a design choice the researcher noted is “substantially less secure than typical Command and Control (C2) infrastructure.”

Most concerning is the SDK’s ability to bypass standard security instrumentation through two distinct methods:

1. Control Plane Evasion: The SDK utilizes Apple’s CFHTTPMessage primitives for configuration fetches and telemetry, rather than the standard URLSession, which helps it evade common mobile app-security monitoring tools.
2. Data Plane Evasion: The actual peer tunnel uses NWConnection with the requiredInterface bound directly to the physical WiFi or cellular interface. This allows the traffic to bypass any user-configured VPNs, ensuring the proxy traffic remains uninterrupted.

Defense and Mitigation Strategies

The SDK also implements variable bandwidth policies based on geography, with some regions (like Uzbekistan or Oman) allowed significantly higher data caps than the global default. To protect home or enterprise networks, Include Security suggests a layered defense approach:

• DNS-Level Blocking: Block proxyjs.brdtnet.com, proxyjs.luminatinet.com, and clientsdk.bright-sdk.com at the router level.
• TLS SNI Filtering: Implement filtering for *.brdtnet.com and *.luminatinet.com.
• Enterprise MDM: For managed fleets, perform binary scanning for specific Swift symbols, specifically BrdWebSocketFacade and BrdNetwork.DNSResolver, to identify infected applications.