Hacker NewsHacker News
The Smart TV in Your LivingRoom Is a Node in the AIScraping Economy
77 points by nikcub 4 hours ago | 17 comments
xg15 60 minutes ago
> After config fetch, the SDK opens a persistent WebSocket to:

wss://proxyjs.brdtnet.com:443

This hostname resolves to AWS Global Accelerator IPs

There is some irony that both the scrapers and the websites being scraped are probably hosted on AWS, while playing an elaborate cat-and-mouse game pretending that they weren't.

reply
cyanydeez 11 seconds ago
Kind how the American government needs commercial businesses which they poorly regulate so those businesses provide privacy invasions as a legal means to wash their hands.
reply
yodon 15 minutes ago
Naive question: what would I search for to find a tutorial on how to detect this on my devices, which are mostly iOS, or in my home network?

I'd love to find and remove any apps from my devices that have this SDk active.

reply
tisdadd 3 minutes ago
There could be better, but this looked reasonable at first glance if you also have a Mac.

https://www.thequantizer.com/tutorials/wireshark-iphone-traf...

It has been a while since I personally did such traces, but Wireshark was very simple to use and once the network is exposed, it has lots of information available online if you need more.

I found bypassing your VPN particularly appalling, as is the whole thing. Personally, it would be amazing if there were a limit on how much can be in Terms of Service, as no one wants to read that much anymore.

reply
calcifer 33 minutes ago
> The SDK’s config ships a flag “use_netifs”: true. That flag triggers code in the SDK binary that constructs its NWConnection with a specific required interface: en0 (WiFi) or pdp_ip0 (cellular), rather than using the system default route.

> On iOS, this bypasses any configured VPN’s tun0 interface entirely. The peer tunnel does not cross a user-configured VPN, even when the rest of the app’s HTTPS traffic does.

What's a legitimate use case for this API? When/why should an app be allowed to bypass a user-configured VPN?

reply
chmod775 51 seconds ago
> What's a legitimate use case for this API?

When you're the application providing the VPN or when you're an app of the ISP/Cellular Network provider trying to reach something that only exists in that network, not actually on the open internet (or maybe an app to control a home router).

reply
picofarad 10 minutes ago
> When/why should an app be allowed to bypass a user-configured VPN?

temporarily if full tunnelling isn't working, one can split tunnel to route around issues due to VPN

But imo an app should never bypass something like a network boundary.

reply
cobbzilla 2 hours ago
I never connect any “smart” device to wifi. If it doesn’t work without connectivity, I don’t want it. I use my TVs as display devices. They have HDMI-in and that’s it.
reply
lelandfe 53 minutes ago
On my TCL TV, you have to connect it to read the Google policies you are agreeing to. If you don't, you agree to policies unread.

Thankfully, the blast radius of this is nothing without connectivity.

reply
idiotsecant 16 minutes ago
But it lets you continue without reading them? There's a lot of questionable terms of service rules but this one has to be unenforcable.
reply
NewCzech 50 minutes ago
One of the problems I can see here is the problem that running a Tor exit node has: badly behaved users are going to be using it to hide their location.

Imaging having the police show up at your door because they've figured out that you're trafficking child porn, when the actual culprit is someone that is using your TV as a proxy to trade child porn.

reply
skinwill 44 minutes ago
Not if my firewall blocks it from accessing the outside world. (But allows HomeAssistant to control it)
reply
trumpdong 2 hours ago
I find Cloudflare to be more unethical than Bright Data.
reply
xg15 57 minutes ago
Both are causing a dynamic that will lock down the internet evermore for everything straying slightly from the corporate-approved line.

If the divide was data center vs residential IPs, fine, but thanks to Bright Data and friends, residential IPs are getting suspicious as well, so I guess the next step is full-on client verification then...

reply
clvx 49 minutes ago
I wish federal or state laws could force providing transparency because asking for privacy is a dead end at this point. Just force products and providers that run in my home where they phone in. Then, I can decide what to do with that whether I send them to a black hole or let them pass.
reply
ErroneousBosh 7 minutes ago
So wait a second then, it connects out using a websocket to its bot C&C server, right?

Which presumably passes it a URL to scrape and waits for it to return the data.

What happens if I write my own tool that connects to that C&C server, waits for a URL to scrape, and returns gigabytes of freshly brewed hot horseshit?

reply
skywhopper 2 hours ago
Not the one in my living room.
reply