Bright Data advertises more than 400 million residential IPs and describes a consent-sourced pool of 150 million-plus IPs — a scale that, research published June 5 shows, can be extended into living rooms through free apps and an embedded iOS software development kit (SDK).
Bright Data's proxy network and its lineage
Bright Data, the successor to Luminati, runs what it calls the largest residential proxy network in the world. Part of that supply, according to a technical teardown published June 5 by Include Security and independent researcher Buchodi, comes from an SDK Bright Data embeds in consumer apps. The model echoes an older arrangement: Luminati originally grew out of Hola VPN, which in 2015 was found to have sold users’ bandwidth. The new twist is demand — anti-bot protections from vendors such as Cloudflare and DataDome have pushed large-scale scrapers to route through residential connections rather than datacenter IPs.
How the embedded SDK operates on devices
The researcher reverse-engineered Bright Data’s iOS SDK and documented a simple lifecycle: when the app opens, the SDK contacts one of Bright Data’s servers and receives instructions that tell the device to fetch web pages from other sites. The channel that carries those jobs, the research found, has “no real authentication” and is described as weaker than controls typically built into malware. On iPhones the investigator found that the SDK’s scraping traffic can bypass a configured VPN and that much of the SDK’s activity does not appear in the tools security teams normally use to monitor apps. The device can continue relaying in the background — even during calls or while the screen is in use — so long as the battery is not low.
Smart TVs as attractive exit nodes
A connected TV is close to ideal for this role: usually plugged in, on a comparatively fast connection, effectively unmetered, and often unwatched. Bright Data’s public partner list includes makers of smart-TV apps such as PlayWorks Digital, CloudTV, and Longvision; the researcher notes that appearing on the list shows a company worked with Bright Data at some point, not that its app currently contains the SDK — each app must be tested individually. Earlier reporting from Lowpass, syndicated by The Verge, first raised the smart-TV angle in February; after platforms tightened rules on background proxy SDKs, Bright Data removed Google, Amazon, and Roku from its platform list but still lists Samsung’s Tizen and LG’s webOS.
The consent screen and traffic limits
Bright Data’s SDK is shipped inside free apps behind an opt-in screen; the company describes this supply as consent-sourced. The teardown shows a gap between the stated consent and the SDK’s actual capabilities. In a Roku app called Petflix, for example, an opt-in screen told users the SDK would use the device and connection “occasionally.” The settings the SDK loads, however, can allow up to 200 GB of traffic per month; in some countries named by the researchers, including Uzbekistan and Oman, limits are set far higher and the device is cleared to keep working almost until the battery runs flat. The SDK can also treat multiple devices that run the same company’s apps as one user, tying a phone and a computer together for proxying purposes.
What this means for security teams, regulators, and households
- Security teams and technologists: The researcher found that on iOS the peer tunnel bypasses VPNs and that the job channel lacks robust authentication, meaning app-monitoring tools and standard network blocks can miss activity. Corporate mobile-device programs should scan for apps containing the SDK and be aware that mobile data can sidestep Wi‑Fi-based controls.
- Regulators and procurement officers: The matter hinges on whether the displayed consent matches the SDK’s permissions and behavior. The distinction between opt-in and meaningful consent is the line separating Bright Data’s commercial supply from criminal botnets that hijack devices; earlier investigative work has linked botnets such as Aisuru and the criminal IPIDEA proxy network to large-scale scraping and abuse.
- Households and end users: Smart TVs are particularly exposed because they are typically always-on and connected. Users who do not want their home connection used as exit nodes have straightforward mitigations available at the router level.
Mitigation steps and closing observation
The teardown provides concrete defenses. Blocking a small set of domains at the router or DNS level — proxyjs.brdtnet.com, proxyjs.luminatinet.com, proxyjs.bright-sdk.com, clientsdk.bright-sdk.com, and clientsdk.brdtnet.com — stops the device from acting as a relay, according to the research, and does so without affecting Bright Data’s paid service, which runs on separate addresses. Tools such as Pi-hole or NextDNS can enforce such blocks. The research also notes that Bright Data could change how the SDK connects in the future, which would require updates to any blocklist.
The technical record supplied by Include Security and Buchodi tightens a practical question into a pointed one: when free apps ask for “occasional” use of a device and its connection, does that notice equate to the permission to route hundreds of gigabytes of scraping traffic through someone’s home? The researcher’s evidence narrows the debate to observable artifacts — SDK behavior, traffic patterns, and the domains it contacts — and offers defenders a narrow, actionable set of counters while leaving the broader consent question open.
