A trio of security threats escalated this week, each attacking trust in a technology millions rely on daily: smart TVs secretly running proxy services, a fresh wave of confusion and risk around Microsoft’s paid Windows 10 security extensions, and a phishing campaign targeting encrypted messenger Signal’s backup feature. On July 3, 2026, Hackaday’s “This Week in Security” roundup spotlighted these three stories, highlighting how seemingly unrelated cracks in consumer tech can expose your data, your network, and your conversations. Here’s what changed, what it means for you, and what to do next.

The Three Threats, Explained

1. Smart TVs Caught Running Hidden Proxy SDKs

Security researchers have long warned that smart TVs collect viewing data. But this week, analysis of certain smart TV models revealed something more invasive: pre-installed software development kits (SDKs) that turn the devices into proxy nodes for third-party services. In simple terms, your TV’s internet connection is being hijacked—not to steal your Netflix password, but to route someone else’s traffic through your home network. This can slow down your connection, eat into data caps, and potentially make your IP address appear responsible for activities you didn’t do.

Which brands are affected? Hackaday’s report didn’t name specific manufacturers, but previous investigations by outlets like Consumer Reports and Ars Technica have flagged similar behavior in budget and name-brand sets alike. The proxy SDKs are often bundled with ad-targeting or “content recommendation” libraries, buried in firmware updates users rarely read. Because smart TV operating systems (like Tizen, webOS, or Roku OS) are closed environments, auditing them is difficult—making this a supply-chain trust problem that lands squarely on the owner’s living room floor.

2. Windows 10 ESU: Extended Support, Extended Risk?

Windows 10’s mainstream support ended in October 2025. For businesses and individuals unwilling or unable to upgrade to Windows 11, Microsoft offers Extended Security Updates (ESU)—for a price. The program delivers monthly patches for critical vulnerabilities, but only to those who enroll and pay. This week’s alert isn’t about a specific zero-day; rather, it’s a reminder that many users still haven’t migrated, and that the ESU licensing maze itself has become an attack surface. Phishing emails posing as “Windows 10 ESU renewal notices” have spiked, tricking recipients into handing over payment details or installing malware disguised as “activation tools.”

Even for legitimate ESU users, there’s a practical catch: deployment is complex, especially in organizations with mixed device fleets. A misconfigured update server, a missed payment, or a lapsed key can leave machines unpatched without any obvious warning. Home users are in an even murkier position—Microsoft originally marketed ESUs primarily to volume–licensing customers, leaving home and SMB users to navigate a confusing web of cloud-solution–provider offerings or risky third-gray-market keys.

3. Signal Backup Phishing: Trust Under Direct Attack

Signal’s end-to-end encryption is the gold standard for private messaging. But the app’s backup feature—designed to let you restore chats on a new phone—has become a phishing vector. Attackers are sending fake “Your Signal backup is corrupted—restore now” messages via SMS and email, luring victims to bogus Signal-themed websites. If a user enters their 30-digit backup passphrase, the attacker can download and decrypt the entire message history from Signal’s servers (for Android) or from iCloud (for iOS). This isn’t a flaw in Signal’s encryption; it’s a direct attack on the human element—the one piece you control.

What makes this campaign particularly dangerous is timing. Signal’s backup system underwent changes in early 2026 to comply with new EU data portability rules, introducing new restore prompts. Many users are unfamiliar with the updated interface, making them more likely to click on a fake alert that mimics the real thing.

What It Means for You

For Home Users

If you own a smart TV, a Windows 10 PC, and use Signal—you’re in the crosshairs of all three stories. The immediate risks are:

  • Smart TV: Your home IP could be blacklisted by streaming services or even flagged by your ISP for suspicious traffic. Worse, if the proxy SDK is part of a botnet, your device could participate in DDoS attacks without your knowledge.
  • Windows 10 ESU: Your PC might miss critical patches, leaving it open to ransomware exploits that have already been fixed in Windows 11. Phishing threats can lead to financial loss or credential theft.
  • Signal: Your private conversations could fall into the hands of scammers, potentially exposing compromising personal or business information.

For IT Administrators

These threats compound in managed environments:

  • Smart TVs in conference rooms or lobbies can act as entry points into corporate networks if they’re on the same VLAN without proper isolation. One compromised TV can pivot to more sensitive systems.
  • Windows 10 ESU mismanagement can create audit nightmares. Compliance frameworks require all endpoints to receive security updates; a lapsed ESU subscription on even a single machine could fail a SOC 2 or ISO audit.
  • Signal is often used for internal comms or client messages. A phishing breach can expose trade secrets, PII, or legal strategy. Signal’s enterprise features don’t exist—so it’s on each user to follow security best practices.

How We Got Here

These three stories didn’t appear overnight. They’re the result of years of industry trends that slowly eroded user trust.

Smart TV spying has been a known issue since at least 2017, when Vizio settled with the FTC for collecting viewing data without consent. Since then, TV manufacturers have shifted their revenue models to subsidize hardware with advertising and data sales. The proxy SDK twist is just the latest iteration—turning your $300 screen into a conscripted edge server.

Windows 10’s ESU program was born of necessity. When Windows 11’s hardware requirements left millions of perfectly capable PCs behind, Microsoft faced a dilemma: cut off security updates and risk a botnet Armageddon, or offer a paid lifeline. The result was a program that works for enterprises with IT departments but leaves everyone else in a gray area. The phishing wave was predictable.

Signal’s backup phishing mirrors attacks that have plagued every major platform. The difference is the sensitivity of the data. Unlike a Gmail account, a Signal message history often contains the most intimate details of a person’s life. The EU’s Digital Markets Act accelerated the backup-interface changes, inadvertently creating a window of confusion attackers were quick to exploit.

What to Do Now

Smart TV Countermeasures

  1. Check your TV’s network activity. Log into your router and look for unusual outbound connections from the TV’s IP, especially to unknown cloud–hosting providers. Tools like Pi-hole can block known telemetry and proxy domains.
  2. Disable ACR (Automatic Content Recognition) and “smart” features. In the TV’s privacy settings, turn off content recognition, voice assistants, and “interactive” suggestions. If you can’t, consider disconnecting the TV from the internet entirely and using an external streaming stick.
  3. Keep firmware updated. Yes, updates often introduce new “features,” but they also close known vulnerabilities. Review the release notes; if a manufacturer is caught bundling proxy SDKs, a fix will likely appear in a subsequent update.

Windows 10 ESU Safety

  1. Verify your license source. If you purchased an ESU key from a third party, ensure it’s through an authorized Microsoft Cloud Solution Provider. Microsoft’s website lists approved partners.
  2. Beware of renewal emails. Microsoft does not send ESU renewal notices via email with clickable links. Always navigate to the Volume Licensing Service Center or your Microsoft 365 admin portal manually.
  3. Plan your exit. ESU is a bridge, not a destination. Windows 10 ESU support ends completely in October 2028. Use the next two years to migrate eligible hardware to Windows 11 or replace unsupported machines. For home users, consider switching to a supported OS like Linux if your workflow permits.

Signal Backup Protection

  1. Never share your backup passphrase. Signal will never ask you for it via any communication channel. If you receive such a request, it’s a scam.
  2. Verify restore prompts. When setting up a new device, always navigate manually to Signal’s settings > Chats > Chat backups. Do not follow links from SMS or email.
  3. Turn off backups if you don’t need them. Signal for Android allows disabling backups entirely (Settings > Chats > Chat backups > Off). For iOS, you can disable iCloud backups for Signal in your device settings, though this means you’ll lose chat history if your phone is lost or wiped.
  4. Use a strong, unique passphrase. A 30-digit numeric code is secure enough, but if you store it in a password manager, ensure that vault is protected with two-factor authentication.

Outlook

These three stories share a common thread: convenience versus security. Smart TVs dual-purpose as proxy servers because it’s profitable and invisible. Windows 10 ESU exists because hardware and software don’t age at the same pace. Signal’s backup phishing works because users want seamless restoration across devices.

The next twelve months will likely bring more disclosures about hidden SDKs in IoT devices, regulatory scrutiny of ESU pricing and accessibility, and adaptive phishing campaigns that copy legitimate interfaces with pixel-perfect precision. For now, the best defense is awareness—and the actionable steps above. Stay skeptical, stay patched, and watch your network.