Smart TVs hum in living rooms across the country. They stay plugged in. They stay connected. And now some of them quietly relay web requests for companies hungry to feed artificial intelligence models with fresh data.
The revelation comes from technical analysis released this week. A researcher tore apart an iOS software development kit from Bright Data, the proxy giant formerly known as Luminati. What he found shows how the code can transform consumer devices into exit nodes on a massive residential proxy network. The Hacker News reported the details on June 6, 2026.
Bright Data advertises more than 400 million residential IP addresses. Part of that pool comes from users who install free apps containing the company’s SDK. An opt-in screen promises limited use. The actual settings loaded by the SDK often allow far more. Up to 200 gigabytes of outbound traffic per month in many cases. Even higher limits in countries such as Uzbekistan and Oman.
The researcher, working with Include Security, published his findings on June 5. He goes by the name Buchodi. His work exposed a peer-to-peer channel with almost no authentication. “Weaker than the controls built into most malware,” he concluded. On iOS the proxy traffic slips past configured VPNs. It runs in the background. It avoids many standard monitoring tools.
And. The same infrastructure supports smart TV apps. Bright Data’s partner list once included makers of applications for Roku, Samsung’s Tizen platform and LG’s webOS. The company has since dropped support for some platforms after Google, Amazon and Roku tightened rules on background proxy code. Yet the model persists elsewhere.
One Roku app called Petflix showed users a consent screen that described usage as “occasional.” The SDK’s configuration told a different story. This gap between what users see and what actually happens sits at the heart of the controversy.
Bright Data insists its network relies on consent. It positions itself as different from botnets and criminal proxy services that hijack devices without permission. Yet the technical reality blurs that line. Home internet connections become infrastructure for commercial web scraping. The bandwidth costs fall on the consumer. The IP addresses appear residential, which helps scrapers dodge defenses from companies like Cloudflare and DataDome.
This isn’t entirely new. Back in 2015, Hola VPN faced criticism after its users’ bandwidth was sold through Luminati for $20 per gigabyte. The Hacker News covered that episode. Bright Data emerged as the corporate successor. Demand has only grown. AI companies need vast quantities of clean web data. Datacenter IPs get blocked. Residential proxies command a premium.
Brian Krebs reported last October on botnets shifting from DDoS attacks to selling residential proxy access for AI harvesting. Google dismantled the IPIDEA network in January. Those cases involved clear compromise. Bright Data’s approach hinges on the opt-in screen. Whether that consent qualifies as informed remains an open debate.
Lowpass first highlighted the smart TV connection in February. The site, syndicated by The Verge, pointed to the always-on nature of these devices. They sit on unmetered home broadband. They run for hours. They attract little scrutiny compared with phones or laptops. Perfect nodes for proxy work.
Separate investigations show smart TVs already collect plenty on their own. They take screenshots of content multiple times per minute. They track viewing habits across cable, streaming and even HDMI inputs. They build profiles that combine with data from phones and social media. Jeff Chester of the Center for Digital Democracy told Slate that this creates a detailed representation of identity. His comments appeared in a May 2026 article examining how TV data gets merged with other sources.
Consumer Reports has long advised viewers to disable automatic content recognition, known as ACR. The organization’s guide, updated in late 2025, notes that nearly all major brands from Samsung and LG to TCL engage in some level of data collection. Turning off ACR reduces the flow but does not stop everything. Voice features, advertising IDs and app usage data still travel outward.
Regulators have stepped in at the state level. Texas secured an agreement with Samsung to improve consent explanations and opt-out options. Kentucky classified TV viewing patterns as sensitive data. These moves follow an earlier FTC settlement with Vizio that highlighted unauthorized collection of viewing histories from millions of sets.
Yet the proxy SDK issue adds a new dimension. It is not just observation. The TV becomes an active participant in someone else’s data operation. Its IP address gets used to fetch pages that feed AI training. The device’s owner pays for the electricity and bandwidth. The connection appears in logs as coming from a real household, which gives the traffic legitimacy in the eyes of anti-bot systems.
Defenders of the practice argue that users agree to the terms. They receive free apps or ad-supported content in return. Critics counter that the disclosures lack clarity. Few people read the fine print on a television setup screen. Even fewer understand that their living room device will relay arbitrary web requests to distant servers.
Network-level blocking offers one practical response. The Include Security report lists specific domains the SDK uses to phone home and receive jobs. Addresses such as proxyjs.brdtnet.com, clientsdk.bright-sdk.com and others. Blocking them at the router with tools like Pi-hole or NextDNS stops the proxy function without breaking Bright Data’s legitimate paid services, which use different infrastructure. The domains can change, so lists require maintenance.
Enterprise security teams can scan for the SDK in mobile device management. But mobile data connections bypass corporate Wi-Fi, limiting the effectiveness of network controls alone. On the consumer side the advice is simpler. Scrutinize free apps. Check permissions. Consider whether the trade-off makes sense when the device in question never leaves the house.
Bright Data did not respond immediately to requests for comment in the original reporting. The company maintains that its SDK requires explicit user agreement and provides value through free or discounted software. It also points to its size and transparency compared with underground proxy networks.
The broader trend points toward continued pressure. AI development drives insatiable demand for training data. Residential proxies solve a technical problem that datacenter alternatives cannot. Smart TVs, streaming sticks and other always-connected appliances represent an expanding surface. Their owners rarely monitor outbound traffic at the packet level.
So the TVs keep running. The SDKs keep listening. And web requests from living rooms help populate the next generation of large language models. The arrangement benefits the data brokers and their AI customers. The costs scatter across millions of households in the form of higher electricity bills, slightly slower connections during peak proxy activity and the quiet erosion of control over personal bandwidth.
Researchers continue to probe these systems. New reports surface regularly about tracking embedded in streaming platforms and device firmware. Each one adds detail to a picture that has grown clearer over the past decade. Consumers install software to watch shows or play games. The software installs itself into the network. The network becomes a resource for industries far removed from entertainment.
Blocking a handful of domains will not solve the structural incentives. Stronger disclosure rules might. So could platform policies that forbid background proxy capabilities in consumer apps. Until then the quiet trade-off continues. Your television watches the room. And sometimes it speaks for it on the open internet.
WebProNews is an iEntry Publication