• Distributed AI Training and Scraping: AI companies require massive amounts of web-scraped data for training, search, and agent grounding. Because traditional data centers face heavy blocking and throttling by security services (like Cloudflare and DataDome), scrapers rely on residential proxy networks to route traffic through home internet connections.
• Bright Data's SDK Network: Bright Data operates a massive commercial residential proxy network (marketing over 150M+ to 400M+ IPs). They source these exit nodes by embedding a consent-based Software Development Kit (SDK) inside consumer-facing mobile apps and Connected TV (CTV) / Smart TV applications.
• Why Smart TVs are the Ideal Proxies: Compared to mobile phones, Smart TVs provide a near-perfect infrastructure for proxy routing:
  • They are permanently connected to high-speed home Wi-Fi and grid power (no battery constraints).
  • They run 24/7 in standby mode and offer effectively unlimited bandwidth.
  • They operate largely unattended with virtually no corporate or family oversight.
  • The consent UI on TVs is typically dense text navigated via remote arrow keys, making it unlikely for users to understand that their bandwidth is being sold to third-party scrapers.
• Deceptive Allocation Limits: While opt-in prompts (such as in the Roku app Petflix) claim the SDK "occasionally" uses free resources, the underlying, publicly queryable SDK configuration sets a massive monthly default Wi-Fi budget of up to 200 GB (max_bw_monthly_wifi: 200,000,000,000 bytes).
• Notable SDK Integration Partners: Public, unauthenticated partner manifest endpoints expose integrations with platforms reaching hundreds of millions of households, including:
  • PlayWorks Digital Ltd: Over 400 CTV game titles across Comcast, Sky, Cox, LG, Samsung, Vizio, and Roku.
  • CloudTV: Integrated across more than 125 TV brands and 15+ OEMs.
  • Viber Media (Rakuten): Massive messaging app ecosystem.
  • Supercent & Moonfrog Labs: Major mobile game publishers.
• Technical Reverse-Engineering & VPN Bypasses: Technical analysis of the iOS framework (brdsdk.framework) reveals that:
  • The SDK dials out to a persistent WebSocket connection tracking device metrics (CPU, memory, network state, battery level).
  • Bypassing VPNs: By forcing network interface bindings directly to Wi-Fi (en0) or cellular (pdp_ip0) instead of the system default route, the SDK completely bypasses user-configured local VPN tunnels (tun0).
  • Broad Definition of "Idle": The SDK configuration allows relaying traffic even when the user is actively on a phone call or the screen is on, provided CPU utilization remains below 70% and memory below 90%.
• Cross-Platform Identity Stitching: The SDK's config file contains tracking properties like dual_pairing maps designed to tie a single user's distinct installations across iOS, Windows, and macOS together into a single unified identity.
• Mitigation and Defense Strategies:
  • DNS Sinkholing: Network-wide blocking of key domains (proxyjs.brdtnet.com, proxyjs.luminatinet.com, proxyjs.bright-sdk.com, and clientsdk.bright-sdk.com) entirely kills the proxy peer tunnel without impacting legitimate public traffic.
  • Network Boundaries: Utilizing TLS SNI filtering on domains matching *.brdtnet.com or *.luminatinet.com.
  • MDM Application Auditing: For enterprise environments, scanning mobile binaries for unique Swift symbols like BrdWebSocketFacade and BrdNetwork.DNSResolver to filter out infected applications.

Hacker News Discussion

• The Irony of Cloud-to-Cloud Scrapes: Users point out the profound irony that both the AI data scrapers and the target websites being scraped are often simultaneously hosted on AWS infrastructures, engaging in a costly, artificial cat-and-mouse game to mask their identities.
• Strict Hardware Isolation ("Dumb" Displays): A popular consensus among commenters is to completely air-gap or isolate smart TVs from the internet, relying exclusively on local HDMI inputs connected to trusted devices (like Apple TV, HTPCs, or Home Assistant setups).
• Automatic Content Recognition (ACR) over HDMI: Contributors point out that simply removing network permissions may not protect privacy entirely if a TV is ever connected later. Academic papers cited in the thread reveal that Smart TVs run Automatic Content Recognition to analyze and log content even on local HDMI inputs while offline, caching data to upload the moment an internet connection becomes available.
• The Threat of VPN Bypassing: The community expressed severe alarm regarding the SDK's ability to explicitly bypass local system VPN configurations via forced network interface bindings, highlighting the growing complexity required to self-host secure, consumer-friendly networks.
• Legal Risks and Misleading Consent: Commenters note that the SDK text hides behind the guise of "downloading public data," masking that its true utility is to circumvent security blocks. There is also discussion regarding the liability risk for home residents if a malicious third party utilizes their residential IP address through these unregulated networks for illicit activities (e.g., severe cybercrimes), though others note Bright Data utilizes strict Know-Your-Customer (KYC) onboarding for their buyers.
• Network-Level Defense: Users shared practical setups for containment, such as creating isolated local VLANs with restrictive firewall configurations, whitelisting device MAC addresses via DHCP policies, and deploying Pi-holes or AdGuard Home setups to drop the domains mentioned in the report.