Bright Data SDK Turns Your Smart TV Into an AI Scraping Proxy
A new analysis from Include Security reveals that Bright Data's SDK, embedded in popular smart TV and mobile apps, turns your device into a residential proxy exit node for AI web scraping. The SDK ships in apps like Petflix, Viber, and CloudTV, routing scraping traffic through your home IP without meaningful consent.
The Unauthenticated Config Endpoint
The SDK fetches its configuration from an unauthenticated endpoint:
GET https://clientsdk.bright-sdk.com/sdk_config_ios.json?appid=&ver=&uuid=sdk-ios-<32hex>
Anyone can query this endpoint with a valid bundle ID and SDK version string. The server returns idle detection thresholds, bandwidth caps, country-specific rules, and a partner manifest listing all publishers embedding the SDK.
How the Peer Tunnel Works
After configuration, the SDK opens a persistent WebSocket to wss://proxyjs.brdtnet.com:443, which resolves to AWS Global Accelerator IPs (3.33.193.183, 15.197.193.114). The TLS certificate still uses the pre-2018 domain *.luminatinet.com — a detection pivot for network defenders. The server requires no authentication and immediately initiates a handshake:
tunnel_init— echoes the client's public IPcid_set— assigns a session tracking identifierstatus_get— polls the device for idle state, battery, network type, bandwidth
The device responds with continuous telemetry: idle, wifi_connected, mobile_connected, mobile_type, roaming, battery_level, using_battery, screen_on, on_call, cpu_usage, mem_usage, raw_bw, bw, ipv6_supported, appid, sdk_version, platform, and the assigned cid. This data is sent to a third party via a consent dialog whose text is controlled by the host app publisher.
Once the device reports favorable status, the server pushes cmd_tun frames — individual scraping job instructions. The SDK executes these as HTTP requests against third-party sites, using the user's residential IP as the source.
Idle Detection Rules
The configuration includes explicit rules for when the device is eligible to relay traffic:
"idle_metrics": {
"ignore_screen_on": true,
"ignore_on_call": true,
"max_bw_ratio": 1,
"min_battery": 0.2,
"wifi_on_battery": true,
"min_battery_wifi": 0.2,
"max_cpu_usage": 70,
"max_mem_usage": 90,
"mem_screen_off": true,
"idle_timeout": 30,
"not_idle_timeout": 10
}
ignore_screen_on and ignore_on_call mean the device can relay traffic even while the user is actively using it or on a phone call. The SDK considers the device "idle" based solely on CPU, memory, and battery thresholds.
Why Smart TVs Are the Ultimate Proxy
Compared to mobile phones, smart TVs are always plugged in, always on WiFi, have unlimited bandwidth, and are often unattended. The consent UX is worse — users navigate privacy policies with arrow keys on a TV remote. Petflix, a Roku app, shows an opt-in screen that says "occasionally" using the device's resources, but the SDK's default monthly WiFi budget is 200 GB (max_bw_monthly_wifi: 200000000000).
Partner Manifest
Bright Data exposes an unauthenticated partner manifest endpoint. Identified partners include:
- PlayWorks Digital Ltd — 400+ CTV game titles, reach ~250M TV homes via Comcast, Sky, Cox, LG, Samsung, Vizio, Roku
- CloudTV — integrated across 125+ TV brands and 15+ OEMs
- Longvision Media HK (LongTV) — 5M OTT users in HK and Malaysia
- Viber Media (Rakuten) — 250M–820M monthly users
- Supercent (Korea) — #1 Korean mobile publisher by downloads in 2023
- Moonfrog Labs (Stillfront subsidiary) — ~10M MAU on Teen Patti Gold alone
- Hola Networks — Bright Data's lineage parent, user base in tens to ~100M+ range
The list proves that at least three CTV-focused entities have monetized users' devices as residential proxy exit nodes.
Security Assessment
The protocol lacks message signing, HMAC, client certificates, or device attestation. Only TLS and the server's IP reputation filter gate which peers receive jobs. The researchers note this is "substantially less secure than typical C2" protocol design.
What This Means for Developers
- Any app embedding the Bright Data SDK turns users' devices into scraping exit nodes with minimal consent.
- The SDK's unauthenticated config endpoint leaks partner relationships and internal thresholds.
- Network defenders can detect Bright Data traffic by monitoring for
luminatinet.comandbrdtnet.comdomains, the legacy certificate CN. - The idle detection rules allow traffic relay even when the user is actively using the device.
Next Steps
If you maintain an app that uses Bright Data's SDK, review your consent dialog and ensure it clearly states the bandwidth and usage patterns. If you're a user, check your smart TV's privacy settings and consider blocking *.bright-sdk.com and *.brdtnet.com at your router.
