Smart TVs Become Nodes in AI Scraping Networks, Security Research Reveals

Enterprise technology leaders concerned about data privacy and cybersecurity should be aware of a growing practice: the use of residential internet-of-things devices, particularly smart TVs, as proxy nodes for AI training data scraping. According to security research firm Include Security, the company Bright Data operates what it markets as the world's largest residential proxy network, with over 400 million home IP addresses sourced via a software development kit (SDK) embedded in consumer apps. With user consent, these apps turn phones and smart TVs into exit nodes that paying customers use to scrape web data for AI models.

Why Residential Proxies Matter for AI

AI companies depend on web-scraped content for pre-training, retrieval, agent grounding, and search, Include Security explains. But modern web defenses—including Cloudflare, DataDome, and HUMAN—throttle or block requests from known cloud IP addresses. The workaround is residential proxies: a scraping job routed through a Comcast or T-Mobile subscriber's connection appears to come from a paying residential customer. Krebs reported in October 2025 that "a glut of proxies from Aisuru and other sources is fueling large-scale data harvesting efforts tied to various AI projects." Academic measurement going back to 2019 shows these networks are overwhelmingly misused. The FBI issued a formal advisory earlier this year.

Most press has focused on illegal residential-proxy supply—botnets (Aisuru, Kimwolf), trojanized apps (HUMAN Security’s PROXYLIB disclosure), pre-infected IoT hardware (Google/Mandiant’s IPIDEA takedown). Bright Data, however, operates on the legal supply side with a consent-based model, and Include Security found it has received far less scrutiny.

Bright Data's Consent SDK

Bright Data advertises "150M+ IPs" sourced via its consent SDK embedded in partner apps. The SDK, with user agreement, turns devices into exit nodes for its network. Include Security documents that some partner publishers, such as PlayWorks, disclose the Bright Data relationship in their privacy policies. However, the researchers argue that privacy-policy disclosure is the wrong control surface for a TV, since scrolling through a legal document via TV remote arrow keys is cumbersome, and the in-app consent dialog does not convey that a paying Bright Data customer will route scraping traffic through the user's home internet.

Why Connected TV Is the Ultimate Proxy

Include Security compared smart TVs (connected TVs, or CTVs) to mobile phones as proxy nodes and found TVs superior in every relevant dimension:

A TV never hits 1% battery, jumps between WiFi networks, or gets locked when the user is asleep, making it a near-perfect residential proxy.

A Representative Case: Petflix on Roku

Include Security highlights Petflix, a Roku app documented by The Verge, as a representative case. Its opt-in screen reads: "To enjoy Petflix for free with fewer ads, you are allowing Brig..." (the source text cuts off). The researchers note that the consent flow does not adequately inform users that their home internet connection will be used for third-party scraping traffic.

Implications for Enterprise Cybersecurity

For enterprise technology buyers, the use of consumer IoT devices—including smart TVs in corporate lobbies, break rooms, or home offices of remote workers—as proxy nodes introduces a new vector for data exfiltration and network contamination. While Bright Data's SDK is consent-based and arguably legal, the lack of transparency in consent UI and the difficulty of auditing device behavior make it challenging for organizations to enforce data security policies. The FBI advisory and academic research showing widespread misuse of such networks underscore the risk. Organizations should consider whether any IoT devices with internet connectivity on their networks could be running similar SDKs, and review their acceptable-use policies for consumer devices in corporate environments.

Sources: