Learn

Your TV has a side hustle, and you're paying for it

Free apps on smart TVs can turn your set into a relay for someone else's web scraping. Using your connection and your IP. Here's how to tell, and how to stop it.

Joel Folgner

Joel Folgner

6 min read
Share
A flat-screen smart TV on a low stand in a bright living room, showing a streaming app's home screen, with an empty couch beside it

Right now your TV might be off, but it could still be awake. It might be fetching web pages for a stranger, using your internet and under your name.

According to research published June 5 by Include Security and independent researcher Buchodi, your smart TV could be acting as a relay for someone else's web traffic.

A company called Bright Data sells access to that relay network. It markets the result as the largest of its kind in the world with more than 400 million home internet addresses its customers can route through. Over 150 million of them come from this software sitting inside apps people installed themselves.

Let me back up and explain.

What's going on here

Normally your internet traffic leaves from your house. You load a page, the request goes out with your address on it, the page comes back. A proxy flips that around. It sends someone else's traffic out through your connection, so the website on the other end thinks the request came from you.

That someone else, here, is in the business of scraping. Scraping just means downloading web pages automatically, by the millions. AI companies need enormous piles of text and images to train their models, and scraping is how they get it.

Your TV's data is much more valuable than it used to be. Major websites have gotten good at spotting scrapers. When thousands of requests pour in from a data center, they block them. So the scrapers found a way around it: route the requests through real homes instead. A request that arrives from a Comcast or T-Mobile customer looks like a regular person checking a page.

So your TV becomes what the trade calls an exit node. The last stop before the website. The traffic looking like it came from you.

Why the TV and not the phone

If you wanted to pick the perfect device for this, you would pick a smart TV.

A phone has a battery that dies, jumps between networks, and gets locked in your pocket. A TV does none of that. It is plugged into the wall. It is on fast Wi-Fi. It sits in standby all night with nobody watching. Its data use is effectively unlimited, because who checks how much their television downloads. The disclosure where you supposedly agreed to all this is one you clicked through when setting up your TV.

The "free" part isn't free

These are free apps. Little games, screensavers, that sort of thing. The deal they offer is the same one tech companies have used for years. You get the app for nothing, and in exchange the app gets to use your stuff.

The researchers pulled up the consent screen from one of them, a Roku app called Petflix. It tells you that you can watch for free with fewer ads. But really, you are letting Bright Data "occasionally" use your device's resources and your IP address to download public web data. Occasionally, being entirely defined by them.

Here is what "occasionally" looked like underneath. The software's worldwide default budget is 500 megabytes a month. That one app's settings were configured for 200 gigabytes a month. A four-hundred-fold difference behind it. I am not saying every app runs at 200 gigabytes, but clearly they are bold enough to exceed the "default".

It gets better. The software has a rule for when your device counts as "idle" and free to go to work. That rule counts you as idle even when the screen is on. Even when you are on a phone call. Idle does not mean you stepped away. It means the chip has a spare moment.

None of this is new. It's just bigger now.

The company behind this software has a history. It used to be called Luminati, and Luminati grew out of a free service called Hola VPN. Back in 2015, people figured out that Hola was selling its free users' bandwidth out the back door through Luminati.

One of the paying customers used that pool of borrowed connections to knock the website 8chan offline. The operator of 8chan put it plainly at the time: Hola had a nine-million-machine army on its hands, and it had started renting it out. Same company. Eleven years later, rebranded as Bright Data, the model has moved off the laptop and onto TVs in the living room.

Bright Data has teeth. Both Meta and X took it to court to stop it from scraping their public data. Both lost. The judges agreed that anything you can see without logging in is fair to collect. Those wins are a big part of why the company is pushing this network so hard.

The researchers found Bright Data publishing a list of its app partners on a page anyone can read. The names include PlayWorks, which makes hundreds of TV games and claims its software reaches a quarter of a billion television homes through carriers like Comcast, Sky, Cox, LG, Samsung, Vizio, and Roku. Other big names are on the list too.

One honest caveat, the same one the researchers make. Being on that list means an app worked with Bright Data at some point. It does not prove your particular app is running this software today. So I am not going to tell you your particular Samsung TV is doing this. I am telling you that certain free apps on these platforms have, and that you cannot tell from the couch which ones they are.

A hand holding a phone in front of a smart TV, both screens filled with rows of streaming and app icons.

Bright Data's position is that all of this is consensual, that you can opt out in a couple of steps, and that the software only runs when it will not bother you. When some app makers were asked about it, a few stopped answering, and a few pulled the software out of their apps. The researchers emailed the company before publishing. They got no reply.

What this is, and what it isn't

For the average person, the reality is this. Your internet connection, and a little of your power bill, are being spent on a company's product. That alone would be enough to annoy me.

The part that should give you pause is the address. When your TV relays that traffic, your home is the return address on it. If some of those requests are hitting places that fight back, or doing things you would never do, it is your connection that wears it. At a minimum that can mean your own browsing starts getting blocked or stuck behind those "prove you're human" checks.

And the plumbing is sloppy. The researchers found the channel carrying these jobs had almost no security on it, could slip past a VPN on an iPhone, and tied your devices together across platforms behind the scenes. By their measure, it was built worse than the tools criminals use to run actual malware.

A hand holding a phone that displays a VPN app's "connected" screen, with a smart TV blurred in the background

To be fair, this is the legal, you-agreed-to-it end of this business. This isn't quite the same as uglier practices. Criminal networks hijack devices nobody has consented to. The FBI warned about it in March: streaming gadgets, picture frames, and routers drafted into hiding someone's crimes behind an ordinary home. The Bright Data story is not that. There is no virus to remove. Nobody broke in. You agreed, on a screen built to be skipped, and that is what makes it shady.

What to do about it

A few steps you can take, none of them drastic:

  • Be choosy about free apps on the TV. Especially little games and screensavers. If an app asks to "use your device's resources" or "share your connection" to download "web data," that is the trade. Say no, it's not worth it.
  • Clean house. Go through the apps installed on your TV and delete the free ones you do not use.
  • Stick to names you know. A free game from a publisher you have never heard of is the higher risk. The big streaming apps are not where this is happening.
  • Watch the small signs. A TV that runs warm, or chews through data while it is just sitting there, should be looked at.

The lesson here is not new. If the app is free and there are barely any ads, the thing being sold might be your connection.

If you're feeling a little brave

There is a stronger move, and it lives in your router. You can tell your network to refuse the specific addresses this software phones home to, which shuts off the relay without touching anything you watch.

The researchers published the addresses to block:

  • proxyjs.brdtnet.com
  • proxyjs.luminatinet.com
  • proxyjs.bright-sdk.com
  • clientsdk.bright-sdk.com
  • clientsdk.brdtnet.com

You would add those to a blocklist in your router's DNS settings, or in a tool like NextDNS or Pi-hole if you run one. If that last sentence did not mean much to you, no harm done. The steps above will do the trick.

If your TV turns out to be running one of these, or you block those addresses and want to tell me how it went, I would like to hear it. You can reach me at joel@freshfromcache.com.

Joel

Sources: Include Security / Buchodi (primary research); The Hacker News; Lowpass; TechSpot (Bright Data's statement); VentureBeat (Meta and X court wins); FBI IC3 PSA, March 12, 2026; PCWorld, 2015 (Hola history).

Read more

[ Free, every Tuesday ] Subscribe