You Never Go Full Retard… But This Vizio TV Actually Went There 80 GB/Day Encrypted Firehose From a “Dumb” Camera Monitor We Caught Live

Reader, we engineer and sell these Blackbox EDR/NDR appliances to people who want to know **exactly** what’s happening on their network — no cloud BS, no guessing, just cold hard facts every morning at 6 AM.

On February 13th the daily report for one of our clients hit my screen and my jaw dropped.

Top talker: **192.168.0.137** — **68.4 GB** in 24 hours.

Next day: **69.4 GB**.

Next day: **67.9 GB**.

Average: **70+ GB every single day** for months.

That device? A Vizio V655-H9 65-inch 4K TV (firmware 1.710.30.5-1, last updated February 13 2026 at 7:09 PM) being used as nothing more than a dumb HDMI monitor for security cameras. No apps, no Netflix, no streaming — just a big screen showing camera feeds 24/7. It was turned on once, HDMI plugged in, and left alone.

I told Paul: “Something is very wrong here.” (My sweet fool actually thought it was normal for a “dumb” monitor to eat 70 GB a day. Bless his heart.)

So we went forensic.

First we looked at Zeek conn.log — same story. One IP dominating the entire subnet.

Then we pulled the minute-by-minute tcpdump pcaps from /var/tmp/pcaps and merged five big ones into a clean **vizio-sample.pcap** (609 MB of pure evil).

We ran the killer command:

bash

tshark -r vizio-sample.pcap -Y "ip.addr == 192.168.0.137" -T fields -e frame.time -e ip.dst -e tls.handshake.extensions_server_name -e tcp.len | head -100

The output was damning:

Feb 17, 2026 01:30:01.322901000 PST 99.84.41.83 1428

Feb 17, 2026 01:30:01.322901000 PST 99.84.41.83 97

Feb 17, 2026 01:30:01.334534000 PST 54.91.96.208

Feb 17, 2026 01:30:01.351853000 PST 192.168.0.137 0

Feb 17, 2026 01:30:01.383688000 PST 192.168.0.137 490

Feb 17, 2026 01:30:01.393922000 PST 99.84.41.83 137

Feb 17, 2026 01:30:01.429360000 PST 192.168.0.137 1428

Feb 17, 2026 01:30:01.429391000 PST 192.168.0.137 1428

Feb 17, 2026 01:30:01.429417000 PST 192.168.0.137 1428

Feb 17, 2026 01:30:01.429418000 PST 192.168.0.137 1428

Feb 17, 2026 01:30:01.429450000 PST 192.168.0.137 1428

Feb 17, 2026 01:30:01.429450000 PST 192.168.0.137 1428

Feb 17, 2026 01:30:01.429481000 PST 192.168.0.137 1428

Feb 17, 2026 01:30:01.429481000 PST 192.168.0.137 1428

Feb 17, 2026 01:30:01.437271000 PST 192.168.0.137 1428

Feb 17, 2026 01:30:01.437302000 PST 192.168.0.137 1428

Feb 17, 2026 01:30:01.437328000 PST 192.168.0.137 1428

Feb 17, 2026 01:30:01.437328000 PST 192.168.0.137 1428

Feb 17, 2026 01:30:01.437358000 PST 192.168.0.137 1428

Feb 17, 2026 01:30:01.437384000 PST 192.168.0.137 1428

Feb 17, 2026 01:30:01.437411000 PST 192.168.0.137 1428

Feb 17, 2026 01:30:01.437411000 PST 192.168.0.137 1428

Feb 17, 2026 01:30:01.437440000 PST 192.168.0.137 1428

Feb 17, 2026 01:30:01.437466000 PST 192.168.0.137 1428

Feb 17, 2026 01:30:01.438801000 PST 99.84.41.83 0

Feb 17, 2026 01:30:01.442058000 PST 99.84.41.83 0

Feb 17, 2026 01:30:01.442117000 PST 99.84.41.83 0

Feb 17, 2026 01:30:01.442170000 PST 99.84.41.83 0

Feb 17, 2026 01:30:01.443257000 PST 99.84.41.83 0

Feb 17, 2026 01:30:01.444945000 PST 192.168.0.137 1428

Feb 17, 2026 01:30:01.444973000 PST 192.168.0.137 1428

Feb 17, 2026 01:30:01.444999000 PST 192.168.0.137 1428

Feb 17, 2026 01:30:01.445039000 PST 192.168.0.137 1428

Feb 17, 2026 01:30:01.445040000 PST 192.168.0.137 1428

Feb 17, 2026 01:30:01.445072000 PST 192.168.0.137 1428

Feb 17, 2026 01:30:01.445072000 PST 192.168.0.137 1428

Feb 17, 2026 01:30:01.445102000 PST 192.168.0.137 1428

Feb 17, 2026 01:30:01.445102000 PST 192.168.0.137 1428

Feb 17, 2026 01:30:01.445132000 PST 192.168.0.137 1428

Feb 17, 2026 01:30:01.449295000 PST 99.84.41.83 0

Feb 17, 2026 01:30:01.453055000 PST 192.168.0.137 1428

Feb 17, 2026 01:30:01.453084000 PST 192.168.0.137 1428

Feb 17, 2026 01:30:01.453111000 PST 192.168.0.137 1428

Feb 17, 2026 01:30:01.453136000 PST 192.168.0.137 1428

Feb 17, 2026 01:30:01.453162000 PST 192.168.0.137 1428

Feb 17, 2026 01:30:01.453162000 PST 192.168.0.137 1428

Feb 17, 2026 01:30:01.453192000 PST 192.168.0.137 1428

Feb 17, 2026 01:30:01.453192000 PST 192.168.0.137 1428

Feb 17, 2026 01:30:01.453222000 PST 192.168.0.137 1428

Feb 17, 2026 01:30:01.453249000 PST 192.168.0.137 1428

Feb 17, 2026 01:30:01.453249000 PST 192.168.0.137 1428

Feb 17, 2026 01:30:01.453280000 PST 192.168.0.137 1428

Feb 17, 2026 01:30:01.456413000 PST 99.84.41.83 0

Feb 17, 2026 01:30:01.460973000 PST 192.168.0.137 1428

Feb 17, 2026 01:30:01.461007000 PST 192.168.0.137 1428

Feb 17, 2026 01:30:01.461007000 PST 192.168.0.137 1428

Feb 17, 2026 01:30:01.461042000 PST 192.168.0.137 1428

Feb 17, 2026 01:30:01.461068000 PST 192.168.0.137 1428

Feb 17, 2026 01:30:01.461095000 PST 192.168.0.137 1428

Feb 17, 2026 01:30:01.461095000 PST 192.168.0.137 368

Feb 17, 2026 01:30:01.464319000 PST 99.84.41.83 0

Feb 17, 2026 01:30:01.469072000 PST 192.168.0.137 1428

Feb 17, 2026 01:30:01.469102000 PST 192.168.0.137 1428

Feb 17, 2026 01:30:01.471555000 PST 99.84.41.83 0

Feb 17, 2026 01:30:01.471624000 PST 99.84.41.83 0

Feb 17, 2026 01:30:01.472925000 PST 192.168.0.137 1428

Feb 17, 2026 01:30:01.472953000 PST 192.168.0.137 1428

Feb 17, 2026 01:30:01.475352000 PST 99.84.41.83 0

Feb 17, 2026 01:30:01.475462000 PST 99.84.41.83 0

Feb 17, 2026 01:30:01.481104000 PST 99.84.41.83 35

Feb 17, 2026 01:30:01.502202000 PST 192.168.0.137 1428

Feb 17, 2026 01:30:01.502232000 PST 192.168.0.137 1428

Feb 17, 2026 01:30:01.502232000 PST 192.168.0.137 1428

Feb 17, 2026 01:30:01.502262000 PST 192.168.0.137 1428

Feb 17, 2026 01:30:01.506201000 PST 192.168.0.137 1428

Feb 17, 2026 01:30:01.506232000 PST 192.168.0.137 1428

Feb 17, 2026 01:30:01.506232000 PST 192.168.0.137 1428

Feb 17, 2026 01:30:01.506261000 PST 192.168.0.137 1428

Feb 17, 2026 01:30:01.510051000 PST 99.84.41.83 0

Feb 17, 2026 01:30:01.514377000 PST 192.168.0.137 1428

Feb 17, 2026 01:30:01.514406000 PST 192.168.0.137 1428

Feb 17, 2026 01:30:01.514432000 PST 192.168.0.137 1428

Feb 17, 2026 01:30:01.514459000 PST 192.168.0.137 1428

Feb 17, 2026 01:30:01.514485000 PST 192.168.0.137 1428

Feb 17, 2026 01:30:01.514485000 PST 192.168.0.137 1428

Feb 17, 2026 01:30:01.514515000 PST 192.168.0.137 1428

Feb 17, 2026 01:30:01.514515000 PST 192.168.0.137 1428

Feb 17, 2026 01:30:01.514544000 PST 192.168.0.137 1428

Feb 17, 2026 01:30:01.514571000 PST 192.168.0.137 1428

Feb 17, 2026 01:30:01.514571000 PST 192.168.0.137 1428

Feb 17, 2026 01:30:01.514600000 PST 192.168.0.137 1428

Feb 17, 2026 01:30:01.517983000 PST 99.84.41.83 0

Feb 17, 2026 01:30:01.518122000 PST 99.84.41.83 0

Feb 17, 2026 01:30:01.518963000 PST 99.84.41.83 0

Feb 17, 2026 01:30:01.522235000 PST 192.168.0.137 1428

Feb 17, 2026 01:30:01.522265000 PST 192.168.0.137 1428

Feb 17, 2026 01:30:01.522291000 PST 192.168.0.137 1428

Feb 17, 2026 01:30:01.522317000 PST 192.168.0.137 1428

Feb 17, 2026 01:30:01.522346000 PST 192.168.0.137 1428

Feb 17, 2026 01:30:01.522346000 PST 192.168.0.137 1428

**Translation**:

- **1428 bytes** = large outbound TLS Application Data packets **sent by the TV**.

- **0 bytes** or tiny numbers = inbound ACKs/control packets from the server.

Ratio on the heaviest flows: **56:1 outbound to inbound**. Not bidirectional video exfil. Not normal updates. Just a relentless one-way firehose.

Every big flow went to **99.84.41.83:443** — an Akamai CDN edge node. Specifically, 99.84.41.83 is an **Amazon AWS CloudFront edge server** physically located in **El Segundo, California** (literally a few miles from LAX airport). Vizio rents space on these high-speed Amazon mailboxes so their TVs can upload data quickly and reliably without having to talk all the way back to headquarters. The brief connection also hit **54.91.96.208** — another AWS IP in Ashburn, Virginia. Akamai and AWS are both massive U.S. companies; Vizio itself is owned by Walmart, a 100% American company headquartered in Bentonville, Arkansas.

All of it encrypted TLS 1.3. No plain-text strings we could read, but the volume and pattern screamed **Vizio’s Automatic Content Recognition (ACR / Viewing Data)** running full blast on pure HDMI input — fingerprinting the camera feeds every few seconds, batching the data, and shipping it home to Vizio and its ad partners.

We had already run a full network OpenVAS vulnerability sweep on February 13, 2026. The Vizio TV (192.168.0.137) showed **zero** Medium or High vulnerabilities — only two Low findings (general/icmp and general/tcp). It scanned as perfectly “clean” and legitimate.

Yet it was still dumping 70+ GB a day in encrypted uploads.

This wasn’t a one-time firmware download. Firmware is one-and-done. This was daily, sustained, 70+ GB/day encrypted uploads from a TV that was supposed to be a dumb monitor.

We unplugged the network cable.

The monster vanished from the top talkers instantly.

HDMI cameras still worked perfectly. Zero functionality lost.

**The ugly truth**:

Modern “smart” TVs are not monitors. The second they touch the internet they become surveillance devices. Vizio’s own system watches everything on screen — including external HDMI inputs — turns it into data, and phones home. We caught it because our Blackbox NDR sees every byte.

If we had gotten the green light from the CEO, we would have taken the TV into our lab and sandboxed it, set up a Raspberry Pi as a MITM gateway, installed our own trusted root certificate on the TV, and routed all its traffic through the Pi to decrypt the TLS payloads in real time. That would have let us see exactly what the 1428-byte packets actually contained. But the CEO made the right call — he didn’t want his camera footage continuing to be surveilled and potentially sent off-site. We respected that immediately, unplugged the TV, and protected his privacy.

**What if the device itself is the vulnerability — while acting completely legit?**

This is the new paradigm we have to warn about. Traditional vulnerability scanners like OpenVAS look for known exploits, open ports, and weak configurations. This TV had none of those. It was “clean.” But it was still exfiltrating massive amounts of data every single day. The device wasn’t broken — it was working exactly as designed by its manufacturer. That’s the scary part. Legitimate behavior can still be malicious when the manufacturer’s business model is built on harvesting and monetizing everything the screen shows.

If you have a Vizio (or any smart TV) acting as a monitor, pull the network cable today. Or better yet, replace it with a real dumb display.

We didn’t guess. We pulled the packets and watched it live.

What’s hiding on your network right now?

Stay sharp with our Blackbox EDR/NDR

— SmiteByte’s Femme Fatale (the one who keeps Paul from going full retard) ♡