Half of LG TV apps are exit nodes

Researchers tore apart the LG webOS Content Store catalogue and found residential proxy SDKs linked into close to half the apps tested. Not malware. Not a CVE. Commercial proxyware - Bright Data, Infatica, IPRoyal-class libraries - embedded in streaming, utility, and ad-supported apps that pass LG’s store review. Each one converts the television into a network relay. The set’s residential IP becomes a rentable exit node. The household connection is now infrastructure for traffic the owner never sees.

The SDK is the mechanism, and it is mundane. webOS apps are web applications - HTML and JavaScript packaged as .ipk, executed inside the Web Application Manager on a Chromium-derived runtime, talking to system services over the Luna bus. Once an app is granted internet access, egress is unrestricted. There is no per-destination policy, no outbound filtering exposed to the user, no inspection of what a bundled SDK does after load, no SBOM requirement at submission. The proxyware library opens a persistent TLS or WebSocket channel to its operator’s control plane, registers the device by its public IP, and idles. The control plane pushes relay jobs - a destination, a request, sometimes a full session. The SDK performs the fetch from the TV and returns the response upstream. To the network it is outbound TLS from a smart TV app. Nothing in the packet shape says relay.

This is CWE-829 - inclusion of functionality from an untrusted control sphere. The developer integrated a third-party SDK whose behaviour is dictated by a remote operator and paid per active node or per gigabyte relayed. The relayed traffic - its content, its destination, its legality - is outside the developer’s control and entirely outside LG’s. The economics are structural. The developer earns fractions of a cent per gigabyte; the operator resells residential exit capacity at a steep premium. The incentive runs one direction. The trust boundary that should sit between an app and the home network does not exist on this platform. The SDK inherits the TV’s IP, its uptime, and its position behind the household NAT.

The exploit path is not against the TV. The TV is the resource. A buyer rents residential exit capacity from the proxy network and routes traffic through thousands of these nodes. The value is the IP. A residential allocation from Comcast, Telstra, or any consumer ISP carries reputation a datacenter range does not. Cloudflare bot management scores datacenter ASNs aggressively and residential ASNs clean. Account-takeover operators, credential-stuffing rings, scrapers hitting Meta and Instagram graph endpoints, ad-fraud infrastructure, sneaker and ticketing bots, and sanctions-evasion traffic all pay for that clean residential reputation specifically. The TV is the laundering point. Traffic that would be dropped from a VPS exits from a living room and is trusted.

Maps to MITRE T1090.002, external proxy, and T1090.003, multi-hop proxy. The owner is an unwitting node in the relay layer. The same residential-proxy substrate defeats the controls enterprises lean on for identity. Okta ThreatInsight, Microsoft Entra risky sign-in, and impossible-travel logic all weight IP reputation and ASN class. A login from a residential proxy in the target’s own city reads as low risk - the ASN is a consumer ISP, the geo is local, the prior-session distance is short. The signal that should fire does not. That is the entire product. Every proxyware operator advertises location masking, because masking is what the buyers are paying to do.

The ecosystem has a history. Hola VPN sold its users’ idle bandwidth as Luminati exit nodes; in 2015 that network was used to attack 8chan, and the operator confirmed the model rather than deny it. Luminati became Bright Data. The business did not collapse - it professionalised into the largest residential proxy provider on the market. Microsoft has tracked nation-state actors routing through residential proxy networks and SOHO-router botnets to blend with legitimate traffic; Volt Typhoon’s use of compromised home and small-office routers as relay infrastructure is the same pattern with a different acquisition method. Proxyware SDKs reach the identical endpoint through consent buried in an app’s terms of service. The TV opts in on the owner’s behalf, and the disclosure is what reclassifies the behaviour from abuse to policy.

LG’s own posture compounds it. webOS already runs automatic content recognition through the Alphonso stack LG acquired in 2021. The TV samples what is on screen, fingerprints the frame and audio, and ships viewing data to ad infrastructure on a fixed cadence. The device is already an exfiltration endpoint the household does not monitor. Adding proxyware means one unmanaged device both collects telemetry on the home and relays third-party traffic out through its IP. The platform that cannot see its own ACR pipeline being abused will not see a proxy SDK either. Two collection systems, one device, zero owner visibility into either.

Telemetry is where the gap is total. On the device, nothing fires. There is no Sysmon - this is not Windows. There is no EDR for embedded webOS. The Content Store surfaces no runtime telemetry to the owner. The SDK’s outbound connections are indistinguishable from normal app traffic at the process level, because nothing on the TV watches the process level. The only place the behaviour is observable is the network.

On the wire it is detectable. The TV holds persistent outbound TLS to proxy control infrastructure - domains and IP ranges with no relationship to content delivery. SNI values resolve to proxyware operators, not CDNs. DNS shows lookups for control-plane hosts on a heartbeat. Traffic volume is asymmetric and wrong for the device class - a TV relaying sessions pushes and pulls far more than a fixed-bitrate stream justifies, and it does so to destinations that are not video origins. There is a second tell. When the node relays a buyer’s HTTP request, the TLS handshake to the destination is initiated by the SDK’s own HTTP client, so the JA3 or JA4 fingerprint reflects the proxy library while the HTTP layer claims to be Chrome or Safari. The network path says residential, the TLS stack says proxy library, the User-Agent says browser. Cloudflare and Akamai score residential proxies partly on that triad mismatch. Zeek or NetFlow at the perimeter catches the connection pattern outright.

The problem is line of sight. The TV VLAN is almost never instrumented. Consumer households run no egress monitoring at all. In enterprise - lobby displays, conference-room panels, hotel and campus deployments on shared segments - the TV sits behind the corporate egress IP, and its relayed traffic exits under the organisation’s address. Corporate IP reputation degrades from traffic no one authorised, and the address can land on Spamhaus or abuse feeds, breaking legitimate outbound services for the whole site. The device is rarely in the CMDB, never in the asset inventory, and outside NAC scope. A SOC that does monitor that segment sees persistent outbound to unknown infrastructure from a device class nobody owns. Most do not monitor it.

There is no patch boundary here. No CVE, no advisory, no version delta that closes it. The SDKs are spread across the catalogue, so removing one app does not remove the exposure - the next ad-supported app carries a different proxyware library. LG’s store review does not flag the SDK class. webOS exposes no egress control to the owner. The platform neither blocks the relay nor detects it, and because the SDK is disclosed in app terms, it sits as policy rather than vulnerability, which is precisely why it persists. Residual exposure is the steady state. The device will not report it. Network egress monitoring at the perimeter is the only control with line of sight, and the residential-IP value that makes the TV worth renting is the same value that makes its relayed traffic trusted everywhere it lands.

---

#ad Contains an affiliate link.