In a concerning revelation, free applications available on popular connected television (CTV) platforms such as Samsung, LG, and Roku are inadvertently enrolling users’ smart TVs into a commercial residential proxy network operated by Bright Data. This alarming finding stems from a technical investigation conducted by Buchodi from Include Security, with details published on June 5, 2026.
The investigation highlights how an embedded software development kit (SDK) within certain partner applications masquerades as a facilitator for “free content” exchanges. In reality, this integration effectively converts smart televisions—many of which are consistently powered on and connected to the internet—into exit nodes. These nodes relay web-scraping traffic for paying customers of Bright Data. Notably, this activity transpires without triggering conventional security measures, representing a significant privacy risk for unsuspecting users.
Bright Data is a data-collection company that claims to manage a network of over 150 million residential IP addresses, which it sources through its consent-based SDK. One explicit example noted by The Verge is the Roku app named Petflix. The app’s opt-in dialog states that users are allowing Bright Data to utilize their device’s resources and IP address to download public web data from the internet. However, the app omits crucial details: the SDK’s openly accessible configuration file reveals a default monthly WiFi data allowance of 200 GB—far exceeding the “occasional” usage suggested in the consent interface.
Upon further inspection, the configuration endpoint is found to be unauthenticated, allowing any individual with the necessary app bundle ID and SDK version string to access the full partner manifest, which includes data on idle-detection thresholds and bandwidth tiers per country.
The investigation sheds light on why CTV hardware is particularly appealing for the residential proxy economy. Unlike mobile devices that are typically portable, shift between WiFi and cellular networks, and are monitored actively by their users, smart TVs are mostly stationary. They are permanently plugged into power sources, remain connected to high-speed WiFi, and often go unnoticed for extended periods. This setup aligns perfectly with the SDK’s idle-detection rules, which designate devices as eligible to relay third-party scraping traffic even when users are actively engaged in viewing content or making phone calls, as long as certain CPU and memory usage thresholds are satisfied.
Further compounding this issue is the lack of corporate or familial oversight of smart TVs, which contrasts sharply with the management and security measures available for mobile devices. The absence of such measures allows the SDK to function without scrutiny.
The investigation reveals that Bright Data’s partner manifest includes multiple entities that focus on CTV applications. For example, PlayWorks Digital Ltd operates over 400 CTV game titles and reaches approximately 250 million TV homes through platforms like Comcast, Sky, Cox, LG, Samsung, Vizio, and Roku. Additionally, CloudTV is noted for its integration across more than 125 TV brands and 15 original equipment manufacturers (OEMs). Other partners, such as Longvision Media HK and Viber Media, further illustrate the extensive reach of this proxy network.
Despite the revelation of these partnerships, the investigation clarifies that while inclusion in the manifest indicates prior integration, verification through app-specific analysis is essential to confirm the current status of the shipping builds.
The SDK is designed to acquire its configuration whenever an app is launched. It then establishes a persistent WebSocket connection to an address that resolves to AWS Global Accelerator IPs. The presence of the TLS certificate corresponding to the legacy domain of Luminati Networks, Bright Data’s former name, serves as a reliable indicator for network-level detection and poses a challenge for defenders.
The communication protocol employed is notably less secure than typical configurations, lacking sufficient layers of protection such as message signing or device verification. The SDK combines two independent methods for bypassing scrutiny. The control plane uses Apple’s CFHTTPMessage primitives, evading standard mobile application security measures. Simultaneously, the data plane utilizes NWConnection, linking directly to the device’s physical WiFi or cellular interface, thereby circumventing any user-configured VPN settings.
The configuration also includes specific bandwidth policies that vary by country. For instance, devices in Uzbekistan and Oman can operate on just 1% battery and impose stringent daily and monthly data limits, unlike other regions where higher allowances may be established.
In response to these alarming findings, Include Security recommends several proactive measures, including DNS-blocking of specific domains at the router level and employing MDM unlicensed binary scanning for Swift symbols present within app binaries. These steps aim to empower users and organizations to safeguard their devices against unauthorized proxy usage.
Finally, despite reaching out to Bright Data for comment prior to the publication of the findings, there was no response, highlighting an urgent need for transparency and accountability in how user data is managed within these applications.